1132 matches found
CVE-2024-1248
The silent Just-In-Time JIT provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users wi...
CVE-2024-1248 Role Overwriting via Silent JIT Provisioning in Multiple WSO2 Products Enables Privilege Escalation
The silent Just-In-Time JIT provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users wi...
EUVD-2024-55648
The silent Just-In-Time JIT provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users wi...
CVE-2024-1248
The silent Just-In-Time JIT provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users wi...
CVE-2024-1248
The CVE-2024-1248 entry describes a vulnerability in federated authentication that uses silent JIT provisioning. When a federated user shares a username with a local user, the provisioning process can overwrite the local user’s existing roles with roles from the federated IDP, effectively enablin...
CVE-2026-14621 FederatedAI FATE OSX Broker QueuePushReqStreamObserver.java QueuePushReqStreamObserver.initEggroll wrong session
A vulnerability has been found in FederatedAI FATE up to 2.2.0. This affects the function QueuePushReqStreamObserver.initEggroll of the file java/osx/osx-broker/src/main/java/org/fedai/osx/broker/grpc/QueuePushReqStreamObserver.java of the component OSX Broker. Such manipulation of the argument...
PT-2026-55730
Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description The silent Just-In-Time JIT provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation. When...
EUVD-2026-40744
Inappropriate implementation in FedCM in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Low...
DEBIAN-CVE-2026-14057
Inappropriate implementation in FedCM in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Low...
CVE-2026-14057
Inappropriate implementation in FedCM in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Low...
CVE-2026-14057
Inappropriate implementation in FedCM in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Low...
CVE-2026-14057
CVE-2026-14057 affects Google Chrome where an inappropriate FedCM implementation allows a remote attacker to bypass the same-origin policy via a crafted HTML page. Affected versions are Chrome before 150.0.7871.47; the vulnerability stems from the FedCM component’s incorrect handling, enabling cr...
CVE-2026-14057
Inappropriate implementation in FedCM in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Low...
CVE-2026-11906 IBM® Db2® federated server is vulnerable to a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns by autheticated user
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of XMLTable-derived columns...
PT-2026-54332
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description An inappropriate implementation in the Federated Credential Management FedCM API allows a remote attacker to bypass the same origin policy, which is a security mechanism that restricts...
EUVD-2026-39567
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to...
CVE-2026-11800
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to...
CVE-2026-11800 Org.keycloak:keycloak-services: keycloak: authentication bypass via jwt algorithm confusion
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to...
CVE-2026-11800 Org.keycloak:keycloak-services: keycloak: authentication bypass via jwt algorithm confusion
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to...
CVE-2026-11800
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to...