GHSA-CXJ8-GGF2-P57C Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth...

CVE-2026-34083 signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...

CVE-2026-34083

Signal K Server (signalk-server) prior to v2.24.0 contains a code-level vulnerability in its OIDC login/logout flow where an unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because redirectUri is silently unset by default, an attacker can spoof the Host header to direct...

CVE-2024-41829

In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection...

CVE-2024-41829

In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection...

CVE-2024-41829

In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection...

CVE-2024-41829

CVE-2024-41829 concerns JetBrains TeamCity prior to 2024.07. The vulnerability arises from the Space integration (Space module Space Application connection), where an OAuth code for JetBrains Space could be stolen due to weaknesses in the authentication flow. Affected software: JetBrains TeamCity