73 matches found
EUVD-2026-36395
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' Audience claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users...
CVE-2026-50627 Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator
The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' Audience claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users...
PT-2026-48846
Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 4.2.2 Apache CXF versions prior to 4.1.7 Description The JwtAccessTokenValidator class fails to validate the aud Audience claims of incoming JWT access tokens. This flaw enables a JWT issued for one Resource Server...
CVE-2026-4630
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference IDOR vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier UUID belonging to another Resource Server within the same realm,...
CVE-2026-4630
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference IDOR vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier UUID belonging to another Resource Server within the same realm,...
CVE-2026-4630
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference IDOR vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier UUID belonging to another Resource Server within the same realm,...
EUVD-2026-30879
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference IDOR vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier UUID belonging to another Resource Server within the same realm,...
CVE-2026-4630
CVE-2026-4630 (Keycloak) describes an Insecure Direct Object Reference (IDOR) in the Authorization Services Protection API endpoint. An authenticated client can use a resource UUID from another Resource Server in the same realm to bypass authorization checks, enabling unauthorized GET, PUT, and D...
Spring Office Hours Podcast: S5E16 - May Release Train Shift & What's Coming in Spring Boot 4.1
Join Dan Vega and DaShaun Carter for the latest updates from the Spring Ecosystem. In this episode, Dan and DaShaun break down the recently announced shift of the May release train from May 11-22 to June 1-5, and what that means for your upgrade planning across the Spring portfolio. They also dig...
CVE-2026-3190
A flaw was found in Keycloak. The User-Managed Access UMA 2.0 Protection API endpoint for permission tickets fails to enforce the umaprotection role check. This allows any authenticated user with a token issued for a resource server client, even without the umaprotection role, to enumerate all...
CVE-2026-3190 Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api
A flaw was found in Keycloak. The User-Managed Access UMA 2.0 Protection API endpoint for permission tickets fails to enforce the umaprotection role check. This allows any authenticated user with a token issued for a resource server client, even without the umaprotection role, to enumerate all...
CVE-2025-14777
A flaw was found in Keycloak. An IDOR Broken Access Control vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer client ID provided in the A...
CVE-2025-14777 Keycloak: keycloak idor in realm client creating/deleting
A flaw was found in Keycloak. An IDOR Broken Access Control vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer client ID provided in the A...
CVE-2025-14777 Keycloak: keycloak idor in realm client creating/deleting
A flaw was found in Keycloak. An IDOR Broken Access Control vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer client ID provided in the A...
Authentication Bypass by Alternate Name
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via the ResourceSetService and PermissionTicketService modules due to...
EUVD-2018-7213
Malware in sbrugna...
[SECURITY] Fedora 41 Update: mod_auth_openidc-2.4.17.2-1.fc41
This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server...
MAL-2025-3054 Malicious code in @hongfangze/simple-resource-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 71bfdfddee527d454ff8513b29947095d5b34bc2e3d5b67cd0df26f38da76adf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Securing Spring AI MCP servers with OAuth2
Spring AI offers support for Model Context Protocol, or MCP for short, which allows AI models to interact with and access external tools and resources in a structured way. With Spring AI, developers can create their own MCP Servers and expose capabilities to AI models in just a few lines of code...
RestClient Support for OAuth2 in Spring Security 6.4
In Spring Security 6.2 and 6.3, we have worked to steadily improve configuration for applications using OAuth2 Client. Configuration for common use cases has been simplified by allowing applications to publish beans which are automatically included in the overall OAuth2 Client configuration durin...