OpenMetadata - Authentication Bypass

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The JwtFilter handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request...

EUVD-2026-31940

nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims...

CVE-2026-44459

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not...

[SECURITY] [DLA 4564-1] pyjwt security update

Debian LTS Advisory DLA-4564-1 [email protected] https://www.debian.org/lts/security/ Jochen Sprickerhof May 05, 2026 https://wiki.debian.org/LTS Package : pyjwt Version : 1.7.1-2+deb11u1 CVE ID : CVE-2026-32597 It was discovered that PyJWT, a Python implementation of JSON Web Token did...

CVE-2026-41405

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resources by bypassing authentication checks...

EUVD-2026-26112

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resources by bypassing authentication checks...

PT-2026-35788

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.31 Description OpenClaw parses MS Teams webhook request bodies before performing JSON Web Token JWT validation—a process used to verify the identity of the sender. This allows unauthenticated remote attackers ...

BIT-KAFKA-2026-33557 Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. A...

CVE-2026-33557 Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication

A possible security vulnerability has been identified in Apache Kafka. By default, the broker property sasl.oauthbearer.jwt.validator.class is set to org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. It accepts any JWT token without validating its signature, issuer, or audience. A...

CVE-2026-37977

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...

CVE-2026-37977

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...

CVE-2026-27478 Unity Catalog has a JWT Issuer Validation Bypass Allows Complete User Impersonation

Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint /api/1.0/unity-control/auth/tokens. The endpoint extracts the issuer iss claim from incoming JWTs and uses it to...

CVE-2025-63224

The Itel DAB Encoder IDEnc build 25aec8d is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the...

CVE-2025-63217

The Itel DAB MUX IDMUX build c041640a is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the...

EUVD-2021-0930

Malware in sbrugna...

EUVD-2021-15796

Malware in sbrugna...

EUVD-2025-4584

Malicious code in bioql PyPI...

EUVD-2024-49465

Malicious code in bioql PyPI...

EUVD-2024-32920

Malicious code in bioql PyPI...

EUVD-2024-1305

Malicious code in bioql PyPI...