PT-2026-34332

Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise th...

EUVD-2026-23965

Nginx-UI: Disabled users retain full API access through previously issued bearer tokens...

Linux Distros Unpatched Vulnerability : CVE-2026-33557

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to...

EUVD-2026-23846

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. A...

Improper Validation of Specified Index, Position, or Offset in Input

Overview org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur. Affected versions of this package are vulnerable to Improper Validation of...

GHSA-28JG-CGG7-J4WC Apache Kafka does not validate JWT tokens in its OAUTHBEARER authentication implementation

A security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. An attacke...

CVE-2026-33557

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. A...

CVE-2026-33557

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. A...

CVE-2026-33557 Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. A...

PT-2026-33844

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4 Description A user disabled by an administrator can continue using previously issued API tokens until the token lifetime expires. This occurs because token-based authentication fails to verify the user.Status...

PT-2026-33644

Name of the Vulnerable Software and Affected Versions Apache Kafka versions prior to 3.9.2 Apache Kafka versions prior to 4.0.1 Description The NetworkClient component outputs complete request and response information when the log level is set to DEBUG. While the default log level is INFO, enabli...

BIT-AIRFLOW-2026-31987 Apache Airflow: JWT token appearing in logs

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue...

CVE-2026-31987

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue...

Security Misconfiguration

Apache Airflow is Vulnerable to Security Misconfiguration. The Vulnerability is due to insufficiently clear documentation of the security model, workload isolation, and JWT authentication behavior, which may lead deployment managers to make incorrect assumptions and configure insecure environment...

Information Disclosure

apacheairflow is vulnerable to Information Disclosure. The vulnerability is due to JWT Tokens used by tasks being exposed in logs, where UI users could act as Dag Authors by exploiting this exposure...

Exploit for CVE-2026-29000

CVE-2026-29000: Proof of Concept PoC for pac4j-jwt Auth Bypa...

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise-ui is a Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting valid JWTs usin...

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting...

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to JWT Tokens being embedded inside workload object in task logs. An attacker can gain unauthorized access to sensitive information by viewing log files containing JWT tokens. This...

Apache Airflow: JWT token appearing in logs

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue...