Lucene search
K

277 matches found

CVE
CVE
added 2026/03/12 6:59 p.m.15 views

CVE-2026-32246

CVE-2026-32246 (Tinyauth) : Tinyauth authentication/authorization server before version 5.0.3 allows an attacker who knows a user’s password but not the TOTP secret to obtain an authorization code and valid OIDC tokens by abusing the OIDC authorization endpoint during a TOTP-pending session. This...

8.5CVSS5.8AI score0.0027EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/03/11 4:42 p.m.5 views

EUVD-2026-11239

Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...

4.8CVSS5.9AI score0.00138EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/10 9:3 p.m.6 views

EUVD-2026-10824

Feathers has an OAuth Callback Account Takeover issue...

9.3CVSS5.8AI score0.00519EPSS
Exploits0References1
CVE
CVE
added 2026/03/10 8:6 p.m.17 views

CVE-2026-29792

Feathersjs (v5.0.0–5.0.41) is vulnerable to an unauthenticated bypass in the OAuth callback endpoint. A forged profile sent via the query string to /oauth/:provider/callback can trigger a fallback path that reads params.query when Grant’s session/state is empty, allowing an attacker to drive enti...

9.8CVSS5.8AI score0.00519EPSS
Exploits0References1Affected Software1
RedHat Linux
RedHat Linux
added 2026/03/05 7:7 p.m.2 views

org.keycloak/keycloak-services: Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS5.7AI score0.0033EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/02 4:18 p.m.2 views

CVE-2026-28396 NocoDB: Refresh Tokens Not Revoked on Password Reset

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has be...

7.1CVSS5.8AI score0.00181EPSS
Exploits0References2
Packet Storm
Packet Storm
added 2026/02/25 12:0 a.m.240 views

📄 Cosign 3.0.4 Certificate Chain Validation Bypass

A logic flaw in the certificate verification process of Cosign versions 3.0.4 and below allows signatures to be accepted even when the issuing Intermediate Certificate Authority CA has already expired. This proof of concept generates a chain that can be tested with this software in order to prove...

3.7CVSS5.5AI score0.00197EPSS
Exploits2
RedHat Linux
RedHat Linux
added 2026/02/23 7:19 p.m.9 views

mod_md: Apache HTTP Server: mod_md (ACME), unintended retry intervals

An integer overflow flaw has been discovered in the Apache HTTP server. The integer overflow in the case of failed ACME certificate renewal leads, after a number of failures 30 days in default configurations, to the backoff timer becoming 0. Attempts to renew the certificate then are repeated...

7.5CVSS5.8AI score0.00402EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/02/19 6:31 p.m.10 views

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS5.4AI score0.0033EPSS
Exploits0References8Affected Software1
Cvelist
Cvelist
added 2026/02/19 7:48 a.m.29 views

CVE-2026-2733 Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS0.0033EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/02/19 7:48 a.m.3 views

CVE-2026-2733

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS5.8AI score0.0033EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/02/19 7:48 a.m.4 views

CVE-2026-2733

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS5AI score0.0033EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.7 views

PT-2026-20651

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS5.4AI score0.0033EPSS
Exploits0References2
OSV
OSV
added 2026/02/09 9:31 p.m.2 views

GHSA-37GF-GMXV-74WV Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

8.8CVSS5.8AI score0.00449EPSS
Exploits0References10
Github Security Blog
Github Security Blog
added 2026/02/09 9:31 p.m.10 views

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

8.8CVSS5.6AI score0.00449EPSS
Exploits0References10Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/09 6:36 p.m.4 views

CVE-2026-1486

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

8.8CVSS5.5AI score0.00449EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/09 6:36 p.m.29 views

CVE-2026-1486 Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

8.8CVSS0.00449EPSS
Exploits0References4
CVE
CVE
added 2026/02/09 6:36 p.m.39 views

CVE-2026-1486

CVE-2026-1486 : In Keycloak, the jwt-authorization-grant flow fails to verify whether an IdP is enabled before issuing tokens. The issuer lookup (lookupIdentityProviderFromIssuer) fetches the IdP config but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to com...

8.8CVSS5.6AI score0.00449EPSS
Exploits0References5
Snyk
Snyk
added 2026/02/09 6:23 p.m.4 views

Improperly Implemented Security Check for Standard

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to improper verification if an Identity Provider IdP i...

8.8CVSS5.6AI score0.00449EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/09 12:0 a.m.6 views

PT-2026-7128

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the jwt-authorization-grant flow where the server does not verify if an Identity Provider IdP is enabled before issuing tokens. The lookupIdentityProviderFromIssuer mechanis...

8.8CVSS5.9AI score0.00449EPSS
Exploits0References19
Rows per page
Query Builder