Lucene search
K

73 matches found

NVD
NVD
added 4 days ago6 views

CVE-2026-55669

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer iss but not the audience aud claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted ...

4.2CVSS0.00112EPSS
Exploits0References3
CVE
CVE
added 4 days ago28 views

CVE-2026-55669

CVE-2026-55669 affects ZITADEL: the external JWT Identity Provider failed to validate the audience (aud) claim, accepting a token signed for a different relying party. The issue, affecting ZITADEL’s JWT IdP implementation, is mitigated by requiring audience validation and is fixed in versions 3.4...

4.2CVSS6.1AI score0.00112EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-55669 ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider

ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer iss but not the audience aud claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted ...

4.2CVSS0.00112EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 4 days ago8 views

CVE-2026-55689

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when OpenFGA is configured to use OIDC authentication authn.method=oidc, authn.oidc.issuer set but authn.oidc.audience is left unset, the JWT audience claim on incoming bearer tokens is not validated. As a result...

8.1CVSS6.1AI score0.00298EPSS
Exploits0References8
NVD
NVD
added 5 days ago6 views

CVE-2026-55689

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...

8.1CVSS0.00298EPSS
Exploits0References5
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-55689 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...

6.8CVSS0.00298EPSS
Exploits0References5
CVE
CVE
added 5 days ago49 views

CVE-2026-55689

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...

8.1CVSS6AI score0.00298EPSS
Exploits0References5Affected Software2
RedHat Linux
RedHat Linux
added 5 days ago6 views

Important: Red Hat Security Advisory: Red Hat Build of Apache Camel 4.18.1.P1 for Spring Boot release.

Red Hat build of Apache Camel 4.18.1.P1 for Spring Boot patch release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

10CVSS7.4AI score0.00969EPSS
Exploits6References33
OSV
OSV
added 2026/06/25 10:34 p.m.5 views

GO-2026-5423 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset in github.com/openfga/openfga

OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset in github.com/openfga/openfga...

8.1CVSS5.8AI score0.00298EPSS
Exploits0References1
OSV
OSV
added 2026/06/25 6:43 p.m.4 views

GO-2026-5391 ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider in github.com/zitadel/zitadel

ZITADEL: Missing Token Audience Validation aud in JWT IdP Provider in github.com/zitadel/zitadel...

4.2CVSS5.8AI score0.00112EPSS
Exploits0References4
CVE
CVE
added 2026/06/24 9:7 p.m.10 views

CVE-2026-55759

Rocket.Chat Apple Sign-In had a JWT claims validation bypass prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. Any Apple-signed JWT with a non-empty iss could be accepted regardless of aud, exp, nbf, or nonce, enabling replay authentication if an attacker obtains a user’s identity t...

7.4CVSS5.9AI score0.00243EPSS
Exploits0References1
OSV
OSV
added 2026/06/19 2:35 p.m.7 views

GHSA-HCXC-WF8J-23HV OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...

6.8CVSS5.8AI score0.00298EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/19 2:35 p.m.12 views

OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...

8.1CVSS5.8AI score0.00298EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.20 views

PT-2026-50974

Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.18.0 Description The OIDC authenticator fails to validate the JWT audience aud claim when no audience is configured. In environments where a single identity provider issues tokens for multiple services, a token...

6.8CVSS5.8AI score0.00298EPSS
Exploits0References9
OSV
OSV
added 2026/06/18 1:52 p.m.5 views

GHSA-G5H5-M4HM-XJRR ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider

Summary An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider IdP implementation. When validating JSON Web Tokens JWTs from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer iss, but it fails to validate the...

4.2CVSS5.7AI score0.00112EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50738

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0 through 4.11.0 ZITADEL versions 3.0.0 through 3.4.11 Description An authentication bypass exists in the external JWT Identity Provider IdP implementation. While the system validates the cryptographic signature and the...

4.2CVSS5.9AI score0.00112EPSS
Exploits0References8
CVE
CVE
added 2026/06/12 8:55 a.m.36 views

CVE-2026-50627

The CVE-2026-50627 issue affects Apache CXF’s JwtAccessTokenValidator, which fails to validate the aud (Audience) claim in incoming JWT access tokens. As described in multiple sources (NVD/Red Hat/CVE List/etc.), a token issued for one Resource Server could be replayed against a different Resourc...

9.1CVSS5.2AI score0.00445EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 2026/06/12 8:55 a.m.40 views

CVE-2026-50627 Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' Audience claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users...

0.00445EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 8:55 a.m.7 views

CVE-2026-50627 Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' Audience claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users...

5.2AI score0.00445EPSS
Exploits0References1
OSV
OSV
added 2026/06/12 8:55 a.m.3 views

CVE-2026-50627 Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' Audience claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users...

9.1CVSS5.9AI score0.00445EPSS
Exploits0References9
Rows per page
Query Builder