14 matches found
EUVD-2026-28857
Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2...
CVE-2026-33175 OAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email Claims
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email i...
CVE-2026-3047
A flaw in Keycloak’s SAML broker (org.keycloak.broker.saml) allows a disabled SAML client, when configured as an IdP-initiated broker landing target, to complete the login flow and establish an SSO session. This can let a remote attacker access other enabled clients without re-authenticating, eff...
EUVD-2024-2058
Malicious code in bioql PyPI...
GHSA-69J8-PRX2-VX98 Mattermost Open Redirect vulnerability
Mattermost versions 10.10.x = 10.10.1, 10.5.x = 10.5.9, 10.9.x = 10.9.4 fail to validate the redirectto parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL...
keycloak: Phishing attack via email verification step in first login flow
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider IdP login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email...
Origin Validation Error
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error via the review profile process. An attacker can gain unauthorized access to another...
Origin Validation Error
Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Origin Validation Error via the review profile process. An attacker can gain unauthorized access to...
CVE-2025-7365 Keycloak: phishing attack via email verification step in first login flow
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider IdP login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email...
CVE-2025-7365 Keycloak: phishing attack via email verification step in first login flow
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider IdP login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email...
CVE-2025-7365
Keycloak vulnerability CVE-2025-7365 involves an IdP login flow where an authenticated attacker merging accounts can alter their email to match a victim’s, triggering a verification email to the victim. If the victim clicks the verification link, the attacker could gain access to the victim’s acc...
PT-2025-29098
Name of the Vulnerable Software and Affected Versions: Keycloak affected versions not specified Description: A flaw exists in Keycloak that allows an authenticated attacker to potentially gain access to a victim's account. During an identity provider IdP login, if an attacker attempts to merge...
Keycloak 访问控制错误漏洞
Keycloak is an open source identity and access management solution from Keycloak Open Source. Keycloak suffers from an access control error vulnerability that stems from a flaw in the account merge function during identity provider login, which could allow an attacker to gain access to a victim's...
grafana: OAuth account takeover
A flaw was found in Grafana. This flaw allows a malicious user with the authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under certain conditions...