CVE-2026-49757

AshAuthentication (versions before 4.14.0 and before 5.0.0-rc.10) is vulnerable to an authentication bypass where OAuth2/OIDC sign-in matches local users by email rather than the issuer/sub identity. An attacker able to provide a victim’s email to an OAuth provider could be signed in to the victi...

CVE-2026-3531 OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...

CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

EUVD-2025-204252

The OpenID Connect Generic Client plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'openidconnectgenericauthurl' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for...

OpenBao 日志信息泄露漏洞

OpenBao is an OpenBao open source sensitive data management software. A log information disclosure vulnerability exists in OpenBao versions 2.2.0 through 2.4.1, which stems from audit logs that do not properly edit the original HTTP body, which could lead to the disclosure of ACME authentication...

CVE-2025-57800 Audiobookshelf vulnerable to OIDC token exfiltration and account takeover

Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes Audiobookshelf to store an arbitrary callback in a cookie,...

Linux Distros Unpatched Vulnerability : CVE-2021-32792

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users...

Security Bulletin: A security vulnerability has been discovered in IBM Verify Identity Access OIDC Provider (CVE-2024-56171)

Summary A security vulnerability has been addressed in IBM Verify Identity Access OIDC Provider Vulnerability Details CVEID:CVE-2024-56171 DESCRIPTION: libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in...

ceph: rhceph-container: Authentication bypass in CEPH RadosGW

A vulnerability in the Ceph Rados Gateway RadosGW OIDC provider allows attackers to bypass JWT signature verification by supplying a token with "none" as the algorithm alg. This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid token...

CVE-2021-21584

Dell OpenManage Enterprise version 3.5 and OpenManage Enterprise-Modular version 1.30.00 contain an information disclosure vulnerability. An authenticated low privileged attacker may potentially exploit this vulnerability leading to disclosure of the OIDC server credentials...

The vulnerability of WebSphere Application Server for application servers allows attackers to increase their privileges.

The vulnerability of OIDC components and TAI server components of WebSphere Application Server is related to deficiencies in access control. Exploiting this vulnerability can allow a malicious actor to enhance their privileges remotely...