Lucene search
K

79 matches found

NVD
NVD
added yesterday6 views

CVE-2026-55954

Authentication Bypass by Spoofing vulnerability in ueberauth ueberauthapple allows account takeover via unvalidated ID token claims. The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback idtoken against Apple's JWKS but does not validate any registered...

9.1CVSS
Exploits0References4
CVE
CVE
added yesterday11 views

CVE-2026-55954

CVE-2026-55954 affects ueberauth_apple (v0.1.0 up to but not including v0.6.2). The root cause is lack of validation for registered ID token claims (iss, aud, exp, iat) in Ueberauth.Strategy.Apple.Token.payload/2; the code uses the unvalidated sub to derive the user uid and email. An attacker who...

9.1CVSS6.1AI score
Exploits0References4
NVD
NVD
added 5 days ago6 views

CVE-2026-55669

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer iss but not the audience aud claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted ...

4.2CVSS0.00112EPSS
Exploits0References3
OSV
OSV
added 5 days ago3 views

CVE-2026-55669 ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer iss but not the audience aud claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted ...

4.2CVSS6.1AI score0.00112EPSS
Exploits0References5
CVE
CVE
added 5 days ago29 views

CVE-2026-55669

CVE-2026-55669 affects ZITADEL: the external JWT Identity Provider failed to validate the audience (aud) claim, accepting a token signed for a different relying party. The issue, affecting ZITADEL’s JWT IdP implementation, is mitigated by requiring audience validation and is fixed in versions 3.4...

4.2CVSS6.1AI score0.00112EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-55669 ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer iss but not the audience aud claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted ...

4.2CVSS0.00112EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 5 days ago8 views

CVE-2026-55689

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when OpenFGA is configured to use OIDC authentication authn.method=oidc, authn.oidc.issuer set but authn.oidc.audience is left unset, the JWT audience claim on incoming bearer tokens is not validated. As a result...

8.1CVSS6.1AI score0.00301EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 5 days ago6 views

Linux Distros Unpatched Vulnerability : CVE-2026-55689

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when...

8.1CVSS6.1AI score0.00301EPSS
Exploits0References2
NVD
NVD
added 6 days ago6 views

CVE-2026-55689

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...

8.1CVSS0.00301EPSS
Exploits0References5
Cvelist
Cvelist
added 6 days ago34 views

CVE-2026-55689 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...

6.8CVSS0.00301EPSS
Exploits0References5
OSV
OSV
added 6 days ago3 views

CVE-2026-55689 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...

6.8CVSS6.1AI score0.00301EPSS
Exploits0References7
CVE
CVE
added 6 days ago51 views

CVE-2026-55689

OpenFGA’s OIDC authentication could accept tokens from the same identity provider for a different application when authn.method=oidc and authn.oidc.issuer is configured but authn.oidc.audience is unset (pre-1.18.0). This allowed unauthorized authentication to OpenFGA. The issue is fixed in OpenFG...

8.1CVSS6AI score0.00301EPSS
Exploits0References5Affected Software2
RedHat Linux
RedHat Linux
added 6 days ago8 views

Important: Red Hat Security Advisory: Red Hat Build of Apache Camel 4.18.1.P1 for Spring Boot release.

Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot patch release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

10CVSS7.4AI score0.00969EPSS
Exploits6References33
OSV
OSV
added 2026/06/25 10:34 p.m.5 views

GO-2026-5423 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset in github.com/openfga/openfga

OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset in github.com/openfga/openfga...

8.1CVSS5.8AI score0.00301EPSS
Exploits0References1
OSV
OSV
added 2026/06/25 6:43 p.m.4 views

GO-2026-5391 ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider in github.com/zitadel/zitadel

ZITADEL: Missing Token Audience Validation aud in JWT IdP Provider in github.com/zitadel/zitadel...

4.2CVSS5.8AI score0.00112EPSS
Exploits0References4
CVE
CVE
added 2026/06/24 9:7 p.m.13 views

CVE-2026-55759

Rocket.Chat Apple Sign-In had a JWT claims validation bypass prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. Any Apple-signed JWT with a non-empty iss could be accepted regardless of aud, exp, nbf, or nonce, enabling replay authentication if an attacker obtains a user’s identity t...

7.4CVSS5.9AI score0.00243EPSS
Exploits0References1
OSV
OSV
added 2026/06/19 2:35 p.m.7 views

GHSA-HCXC-WF8J-23HV OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...

6.8CVSS5.8AI score0.00301EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/19 2:35 p.m.13 views

OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...

8.1CVSS5.8AI score0.00301EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.20 views

PT-2026-50974

Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.18.0 Description The OIDC authenticator fails to validate the JWT audience aud claim when no audience is configured. In environments where a single identity provider issues tokens for multiple services, a token...

6.8CVSS5.8AI score0.00301EPSS
Exploits0References9
OSV
OSV
added 2026/06/18 1:52 p.m.6 views

GHSA-G5H5-M4HM-XJRR ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider

Summary An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider IdP implementation. When validating JSON Web Tokens JWTs from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer iss, but it fails to validate the...

4.2CVSS5.7AI score0.00112EPSS
Exploits0References5
Rows per page
Query Builder