Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade

Title Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or...

GHSA-8JVC-MCX6-R4CG Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path

Summary The OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. Details The OIDC callback...

Vikunja 授权问题漏洞

Vikunja is an open-source to-do application developed by Vikunja. Versions of Vikunja prior to 2.3.0 had an authorization vulnerability. This vulnerability stemmed from the OIDC callback handler, which issued full JWT tokens without checking whether the matching user had enabled TOTP two-factor...

PT-2026-31944

Summary The OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. Details The OIDC callback...

EUVD-2026-21035

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

CVE-2026-35063

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

CVE-2026-35063 Missing Authorization in OpenPLC_V3

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

CVE-2026-35040

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statef...

EUVD-2025-209371

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...

GHSA-C92R-G8J5-VHCX Apache Airflow: JWT token still valid after logout

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...

Apache Airflow: JWT token still valid after logout

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration through the logout handler in airflow-core/src/airflow/apifastapi/coreapi/routes/public/auth.py and the token validation path in airflow-core/src/airflow/apifastapi/auth/managers/baseauthmanager.py. An...

CVE-2025-57735

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...

CVE-2025-57735

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...

Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem

Summary Multiple vulnerabilities were addressed in IBM watsonx Code Assistant On Prem V5.3.1 Patch 1 Vulnerability Details CVEID:CVE-2024-58340 DESCRIPTION: LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service ReDoS vulnerability in the MRKLOutputParser.pars...

CLEANSTART-2026-TN07413 Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web To...

Multiple security vulnerabilities affect the terragrunt-fips package. Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. See references...

PT-2026-31704

OpenPLC V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator acces...

OpenPLC Runtime version 3 安全漏洞

OpenPLC Runtime version 3 is a programmable logic controller developed by Thiago Alves. There is a security vulnerability in OpenPLC Runtime version 3. This vulnerability stems from the REST API endpoints only checking the existence of JWTs without verifying the caller’s role. This could allow...

PT-2026-31606

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.0 Description Apache Airflow is affected by an issue where JWT tokens remain valid after a user logs out, potentially allowing unauthorized access if the token is intercepted. The JWT token associated with ...

CVE-2026-39413

LightRAG is vulnerable to a JWT algorithm confusion attack in versions prior to 1.4.14 of its API. An attacker can forge tokens with alg: none in the JWT header because jwt.decode() does not explicitly disallow none, allowing another party to access protected resources without a valid signature. ...