EUVD-2026-37880

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...

PT-2026-44138

Description OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims registers...

CVE-2026-24899 Fleet Windows MDM Azure AD JWT Authentication Bypass

Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not...

GHSA-C3F3-CC42-XR9V Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens against configured realm

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...

EUVD-2024-3440

Malicious code in bioql PyPI...

SUSE CVE-2024-53861

pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for iss checking, resulting in "acb" being accepted for "abc". This is a bug introduced in version 2.10.0: checking the "iss" claim changed from isinstanceissuer, list to isinstanceissuer, Sequence. Since st...

CVE-2024-53861 Issuer field partial matches allowed in pyjwt

pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for iss checking, resulting in "acb" being accepted for "abc". This is a bug introduced in version 2.10.0: checking the "iss" claim changed from isinstanceissuer, list to isinstanceissuer, Sequence. Since st...

pyjwt 安全漏洞

pyjwt is a Python library by the individual developer José Padilla in the United States. It allows encoding and decoding of JSON Web Tokens JWT. A security vulnerability exists in pyjwt version 2.10.0, which stems from an incorrect string comparison being run against the iss check, resulting in a...

CVE-2024-5037

A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue "iss" check during JSON web token JWT authentication...

PT-2024-4052 · Red Hat · Openshift Telemeter

Name of the Vulnerable Software and Affected Versions: OpenShift Telemeter affected versions not specified Description: The issue is related to a flaw in OpenShift's Telemeter that allows an attacker to bypass authentication using a forged token. This can be done by exploiting the "iss" check...

libreoffice: Execution of Untrusted Macros Due to Improper Certificate Validation

An Improper Certificate Validation vulnerability was found in LibreOffice, where determining if a trusted author signed a macro was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro...

UBUNTU-CVE-2022-26305

An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the...