CVE-2026-56270

Flowise (FlowiseAI) before 3.1.0, including 3.0.13 and earlier, exposes a missing authentication vulnerability at /api/v1/loginmethod that allows unauthenticated retrieval of an organization’s complete SSO configuration, including OAuth client secrets in cleartext, by passing an organizationId. T...

Mattermost has an Observable Timing Discrepancy vulnerability

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

CVE-2025-54499

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

SUSE CVE-2023-39958

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients...