Lucene search
K

26 matches found

CVE
CVE
added 4 days ago74 views

CVE-2026-28699

Summary: CVE-2026-28699 affects Gitea up to 1.26.1, where OAuth2 tokens presented via HTTP Basic authentication bypass scope enforcement. Root cause (from connected docs): In services/auth/basic.go, OAuth2 tokens are accepted through the Basic path with LoginMethod and IsApiToken set, but ApiToke...

8.1CVSS7.1AI score0.00566EPSS
Exploits1References4
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/23 6:17 p.m.3 views

Security Bulletin: Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass

Summary An improper authorization vulnerability in Streamable MCP transport endpoint /api/v1/mcp/project/projectid/streamable allows unauthenticated attackers to bypass project ownership controls and execute Model Context Protocol MCP operations against OAuth-authenticated projects owned by other...

9.8CVSS6.1AI score0.00259EPSS
Exploits0Affected Software1
Snyk
Snyk
added 2026/06/12 4:5 a.m.5 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to improper authentication checks in the OAuth implementation. An attacker can gain unauthorized access by exploiting the lack of proper validation, even when OAuth is not configured or...

9.8CVSS7.2AI score0.00662EPSS
Exploits2References2
Vulnrichment
Vulnrichment
added 2026/06/12 2:27 a.m.9 views

CVE-2026-48612

Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover...

8CVSS7.5AI score0.0012EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 2:27 a.m.14 views

EUVD-2026-36375

Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations...

9.8CVSS7.8AI score0.00662EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.19 views

PT-2026-47585

Summary Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response type and supplies an attacker-controlled redirect uri. The vulnerable behavior happens before client lookup and before any redirect URI validation. As...

5.4CVSS5.6AI score
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/11 8:41 p.m.4 views

CVE-2026-32111 ha-mcp OAuth 2.1 DCR mode enables network reconnaissance via an error oracle

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form beta feature accepts a user-supplied haurl and makes a server-side HTTP request to haurl/api/config with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network...

5.3CVSS6AI score0.00278EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/10 8:46 p.m.3 views

CVE-2026-30967 Parse Server OAuth2 authentication adapter account takeover via identity spoofing

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspectio...

7.6CVSS5.8AI score0.00333EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/02/28 1:54 a.m.4 views

CVE-2026-28215

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request wi...

9.1CVSS6AI score0.00455EPSS
Exploits1References1
SUSE CVE
SUSE CVE
added 2026/01/17 12:51 a.m.11 views

SUSE CVE-2017-18905

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled...

5.3CVSS7AI score0.00769EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.8 views

EUVD-2018-0737

Malware in sbrugna...

8.3CVSS8.2AI score0.06119EPSS
Exploits0References7
Packet Storm News
Packet Storm News
added 2025/07/22 12:0 a.m.2 views

Building a Robust OAuth Token Based API Security: a High Level Overview

APIs Application Programming Interfaces or Web Services are the foundational building blocks that enable interconnected systems. However this proliferation of APIs has also introduced security challenges that require systematic and scalable solutions for secure authentication and authorization...

7AI score
Exploits0
OSV
OSV
added 2024/11/20 11:15 a.m.2 views

UBUNTU-CVE-2024-45690

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts...

7.5CVSS5.7AI score0.00353EPSS
Exploits0References4
OSV
OSV
added 2024/03/06 10:53 a.m.64 views

BIT-CODEIGNITER-2022-35943

Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct or indirect, e.g., XSS control over a...

8.8CVSS7.2AI score0.00474EPSS
Exploits1References4
RedHat Linux
RedHat Linux
added 2023/02/23 12:1 a.m.4 views

google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized...

9.1CVSS5.9AI score0.01587EPSS
Exploits1References4
OSV
OSV
added 2022/09/09 9:15 p.m.2 views

DEBIAN-CVE-2022-36087

OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of urivalidate functions depending where it is used. OAuthLib...

6.5CVSS6.8AI score0.01258EPSS
Exploits1References1
PyPA
PyPA
added 2022/09/09 9:15 p.m.7 views

PYSEC-2022-269

OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of urivalidate functions depending where it is used. OAuthLib...

6.5CVSS6.8AI score0.01258EPSS
Exploits1References5Affected Software1
CNNVD
CNNVD
added 2022/06/29 12:0 a.m.4 views

ApiFest OAuth 2.0 Server 输入验证错误漏洞

ApiFest OAuth 2.0 Server is ApiFest open source an OAuth 2.0 protocol ApiFest OAuth 2.0 Server Java implementation . A security vulnerability exists in ApiFest OAuth 2.0 Server version 0.3.1, which stems from not validating the redirect URI according to RFC 6749, which can be exploited by an...

6.1CVSS6.4AI score0.00771EPSS
Exploits0References4
CNNVD
CNNVD
added 2022/04/06 12:0 a.m.5 views

Vmware Workspace One Access 授权问题漏洞

Vmware Workspace One Access is Vmware USA's combines user identity with factors such as device and network information to make intelligence-driven conditional access decisions for Workspace One delivered applications. An authorization issue vulnerability exists in Vmware Workspace One Access due ...

9.8CVSS8.6AI score0.50694EPSS
Exploits5References6
Exploit DB
Exploit DB
added 2021/06/02 12:0 a.m.201 views

Products.PluggableAuthService 2.6.0 - Open Redirect

Exploit Title: Products.PluggableAuthService 2.6.0 - Open Redirect Exploit Author: Piyush Patil Affected Component: Pluggable Zope authentication/authorization framework Component Link: https://pypi.org/project/Products.PluggableAuthService/ Version: =2.6.1"...

6.1CVSS6.3AI score0.08443EPSS
Exploits4
Rows per page
Query Builder