Comment 2 for bug 1825549

This sounds like a classic "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ( https://cwe.mitre.org/data/definitions/601.html ) so probably a class A vulnerability report per https://security.openstack.org/vmt-process.html#incident-report-taxonomy if it can be cleanly patched on all affected stable branches.