Lucene search
K

5 matches found

Cvelist
Cvelist
added 2026/04/21 9:18 p.m.35 views

CVE-2026-40946 Oxia: OIDC token audience validation bypass via SkipClientIDCheck

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience aud claim validation at the library level. This allows tokens issued for unrelate...

9.2CVSS0.00255EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/21 9:18 p.m.3 views

CVE-2026-40946 Oxia: OIDC token audience validation bypass via SkipClientIDCheck

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience aud claim validation at the library level. This allows tokens issued for unrelate...

9.2CVSS5.7AI score0.00255EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/14 11:14 p.m.8 views

Oxia has an OIDC token audience validation bypass via SkipClientIDCheck

Summary The OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience aud claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted by Oxia...

9.2CVSS5.8AI score0.00255EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/07 4:18 p.m.3 views

CVE-2026-30863 Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration...

9.3CVSS5.8AI score0.00525EPSS
Exploits0References3
OSV
OSV
added 2026/03/05 8:52 p.m.5 views

GHSA-G962-2J28-3CG9 OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes

Summary When JWT authentication is configured using either: - authJwtPubKeyPath local RSA public key, or - authJwtHmacSecret HMAC secret, the configured audience value authJwtAud is not enforced during token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted...

8.8CVSS6AI score0.00301EPSS
Exploits1References5
Rows per page
Query Builder