197 matches found
fast-jwt 安全漏洞
fast-jwt is a JSON Web Token implementation open-sourced by Nearform. Versions of fast-jwt prior to 6.1.0 contained security vulnerabilities. These vulnerabilities stemmed from the incorrect creation of unique keys using the custom cacheKeyBuilder method, which could lead to cache conflicts and...
Improper Validation of Unsafe Equivalence in Input
Overview fast-jwt is a Fast JSON Web Token implementation Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the cacheKeyBuilder function when custom implementations do not generate unique keys for different tokens, leading to cache collision...
PT-2026-30016
Name of the Vulnerable Software and Affected Versions fast-jwt affected versions not specified Description The fast-jwt library has a cache confusion vulnerability that can lead to identity or authorization mix-ups. This occurs when a custom cacheKeyBuilder function does not create unique keys fo...
PT-2026-30279
Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.83.0 Description A critical authentication bypass can occur in LiteLLM when JWT authentication is enabled, due to an OIDC userinfo cache key collision. The OIDC userinfo cache uses the first 20 characters of the tok...
CVE-2026-33729
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation. An attacker can gain unauthorized access to resources by sending specially crafted requests that result in cache key collisions, causing the system to reuse cached authorization results for different requests...
CVE-2026-33729
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache...
CVE-2026-33729
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache...
CVE-2026-33729 OpenFGA has an Authorization Bypass through cached keys
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache...
CVE-2026-33496
ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distingui...
CVE-2026-33496 Ory Oathkeeper has an authentication bypass by cache key confusion
ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distingui...
CVE-2026-33496
ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distingui...
CVE-2026-33496 Ory Oathkeeper has an authentication bypass by cache key confusion
ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distingui...
CVE-2026-33496
Overview: CVE-2026-33496 affects ORY Oathkeeper (Identity & Access Proxy) prior to version 26.2.0, where the oauth2_introspection authenticator cache fails to distinguish tokens across different introspection URLs, enabling authentication bypass via cache key confusion. Impact (as described): An ...
CVE-2026-33496 Ory Oathkeeper has an authentication bypass by cache key confusion
ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Versions prior to 26.2.0 are vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distingui...
Ory Oathkeeper 安全漏洞
Ory Oathkeeper is an access control decision-making software developed by Ory OpenSource. Versions of Ory Oathkeeper prior to 26.2.0 contained security vulnerabilities. These vulnerabilities were caused by a cache key confusion in the oauth2introspection authentication mechanism, which could lead...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication due to cache key confusion. An attacker can gain unauthorized access by using a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Note: This is onl...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication due to cache key confusion. An attacker can gain unauthorized access by using a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Note: This is onl...
GO-2026-4799 Ory Oathkeeper has an authentication bypass by cache key confusion in github.com/ory/oathkeeper
Ory Oathkeeper has an authentication bypass by cache key confusion in github.com/ory/oathkeeper...
Ory Oathkeeper has an authentication bypass by cache key confusion
Description Ory Oathkeeper is vulnerable to authentication bypass due to cache key confusion. The oauth2introspection authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and...