11 matches found
CVE-2026-31946
OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse method silently discards the...
CVE-2026-31946
OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse method silently discards the...
PT-2026-29122
Name of the Vulnerable Software and Affected Versions OpenOlat versions 10.5.4 through 20.2.4 Description OpenOlat is a web-based e-learning platform. The OpenID Connect implicit flow implementation does not verify JSON Web Token JWT signatures. The JSONWebToken.parse method discards the signatur...
CVE-2026-23518
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not...
PYSEC-2025-120
jupyterhub-ltiauthenticator is a JupyterHub authenticator for learning tools interoperability LTI. LTI13Authenticator that was introduced in jupyterhub-ltiauthenticator 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only use...
CVE-2023-25574
CVE-2023-25574 concerns jupyterhub-ltiauthenticator’s LTI13Authenticator. The issue: LTI13Authenticator, added in version 1.3.0, did not validate JWT signatures, potentially allowing forged authentication requests when the JupyterHub instance is configured to use this authenticator. Affected depl...
WordPress + Microsoft Office 365 < 11.7 - JWT Signature Verification Bypass
The plugin does not correctly verify JWT signatures, allowing attackers to forge tokens and bypass authentication and authorisation checks...
Denial Of Service (DoS)
keycloak-connect is vulnerable to denial of service. Failure to validate JWT signatures on /klogout route allows remote attackers to force logout users and indefinitely deny service to the application using malicious JWTs with NBF values...
Forced Logout
Overview Versions of keycloak-connect prior to 4.4.0 are vulnerable to Forced Logout. The package fails to validate JWT signatures on the /klogout route, allowing attackers to logout users and craft malicious JWTs with NBF values that prevent user access indefinitely. Recommendation Upgrade to...
GHSA-68HW-VFH7-XVG8 Forced Logout in keycloak-connect
Versions of keycloak-connect prior to 4.4.0 are vulnerable to Forced Logout. The package fails to validate JWT signatures on the /klogout route, allowing attackers to logout users and craft malicious JWTs with NBF values that prevent user access indefinitely. Recommendation Upgrade to version 4.4...
Forced Logout in keycloak-connect
Versions of keycloak-connect prior to 4.4.0 are vulnerable to Forced Logout. The package fails to validate JWT signatures on the /klogout route, allowing attackers to logout users and craft malicious JWTs with NBF values that prevent user access indefinitely. Recommendation Upgrade to version 4.4...