12 matches found
CVE-2026-9803
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an...
PT-2026-44196
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an...
Hono 授权问题漏洞
Hono is a web framework built with TypeScript in the Hono community. Versions of Hono prior to 4.12.21 had an authorization issue vulnerability. This vulnerability stemmed from the jwt and jwk middleware not verifying the Authorization header values using the Bearer scheme. As a result, JWT...
CVE-2026-45339
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-...
Keycloak < 26.5.4 Multiple Vulnerabilities
Keycloak versions installed prior to 26.5.4 are affected by multiple vulnerabilities, including: - The Keycloak Authorization header parser is overly permissive regarding the formatting of the 'Bearer' authentication scheme. It accepts non-standard characters such as tabs as separators and...
CVE-2026-0707
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters such as tabs as separators and tolerates case variations that deviate from RFC 6750 specifications...
CVE-2026-0707
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters such as tabs as separators and tolerates case variations that deviate from RFC 6750 specifications...
CVE-2026-0707
CVE-2026-0707 affects Keycloak’s Authorization header parser, which is overly permissive with the Bearer scheme. The vulnerability accepts non-standard separators (e.g., tabs) and tolerates case variations that deviate from RFC 6750, enabling potential authentication handling bypasses. Public sou...
CVE-2026-0707
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters such as tabs as separators and tolerates case variations that deviate from RFC 6750 specifications...
WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)
Exploits two distinct authorization bypasses in SureTriggers/OttoKit plugin: - CVE-2025-3102: admin creation via St-Authorization Bearer empty - CVE-2025-27007: reset access key via connection endpoint & admin creation with Bearer header Module Options msf use...
AZL-59168 CVE-2025-30204 affecting package etcd for versions less than 3.5.21-1
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...
AZL-77508 CVE-2025-30204 affecting package influxdb for versions less than 2.6.1-30
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...