Lucene search
K

4 matches found

OSV
OSV
added 2026/06/25 6:43 p.m.4 views

GO-2026-5231 Dex: Token-exchange endpoint is missing AllowedConnectors enforcement in github.com/dexidp/dex

Dex: Token-exchange endpoint is missing AllowedConnectors enforcement in github.com/dexidp/dex...

5.8AI score
Exploits0References2
OSV
OSV
added 2026/06/09 9:59 p.m.5 views

GHSA-7QJX-GP9H-65QJ Dex: Token-exchange endpoint is missing AllowedConnectors enforcement

Summary server/handlers.go::handleTokenExchange lines 1804-1893 does not call isConnectorAllowedclient.AllowedConnectors, connID before issuing tokens, while sibling handlers do. This is a per-client connector ACL gap on the token-exchange endpoint; the redirect-flow paths enforce the same field...

8.7CVSS5.6AI score
Exploits0References3
Snyk
Snyk
added 2026/06/09 9:59 p.m.10 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the handleTokenExchange function. An attacker can gain unauthorized access to restricted resources by exploiting the lack of enforcement of allowed connectors when exchanging tokens. This is only exploitable i...

8.7CVSS5.4AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/09 9:59 p.m.24 views

Dex: Token-exchange endpoint is missing AllowedConnectors enforcement

Summary server/handlers.go::handleTokenExchange lines 1804-1893 does not call isConnectorAllowedclient.AllowedConnectors, connID before issuing tokens, while sibling handlers do. This is a per-client connector ACL gap on the token-exchange endpoint; the redirect-flow paths enforce the same field...

5.6AI score
Exploits0References3Affected Software1
Rows per page
Query Builder