26 matches found
CVE-2026-45108
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant DAG flow that allowed a user within the same Entra ID domain to obtain a local Unix...
CVE-2026-45108
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant DAG flow that allowed a user within the same Entra ID domain to obtain a local Unix...
CVE-2026-45108
Himmelblau (interoperability suite for Microsoft Azure Entra ID and Intune) contains an authentication bypass in the Device Authorization Grant (DAG) flow for versions 2.0.0–3.1.4 and 2.3.0–2.3.10. The root cause is in token_validate, which verified domain aliases but did not ensure the authentic...
CVE-2026-45108 Himmelblau: Authentication Bypass via Cross-User Local Session Impersonation in Device Authorization Grant (DAG) Flow
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant DAG flow that allowed a user within the same Entra ID domain to obtain a local Unix...
EUVD-2026-32633
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant DAG flow that allowed a user within the same Entra ID domain to obtain a local Unix...
CVE-2026-45108 Himmelblau: Authentication Bypass via Cross-User Local Session Impersonation in Device Authorization Grant (DAG) Flow
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant DAG flow that allowed a user within the same Entra ID domain to obtain a local Unix...
org.keycloak.protocol.oidc.grants: Disabled identity providers are still accepted for JWT Authorization Grant
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
CVE-2026-1486
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
CVE-2026-1609
A flaw was found in Keycloak. When the JSON Web Token JWT authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper...
Improper Restriction of Security Token Assignment
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment due to improper enforcement of user disabled-state checks i...
CVE-2026-1486
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
CVE-2026-1486
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
CVE-2026-1486
CVE-2026-1486 : In Keycloak, the jwt-authorization-grant flow fails to verify whether an IdP is enabled before issuing tokens. The issuer lookup (lookupIdentityProviderFromIssuer) fetches the IdP config but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to com...
Keycloak 安全特征问题漏洞
Keycloak is an open-source identity and access management solution developed by Keycloak itself. There is a security vulnerability in Keycloak, which stems from the jwt-authorization-grant process. During token issuance, the server does not verify whether the identity provider is enabled. This...
CVE-2021-41135
The Cosmos-SDK is a framework for building blockchain applications in Golang. Affected versions of the SDK were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the x/authz module. The MsgGrant of the x/authz module contains a Grant field which includ...
Use of a Key Past its Expiration Date
Overview Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date in the CreateOIDCJWTProfileClient function, which doesn't sufficiently check token expiry times for Authorization Grants. An attacker can obtain valid access tokens by using an expired JWT key...
CVE-2025-31123 Zitadel Expired JWT Keys Usable for Authorization Grants
Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to...
RestClient Support for OAuth2 in Spring Security 6.4
In Spring Security 6.2 and 6.3, we have worked to steadily improve configuration for applications using OAuth2 Client. Configuration for common use cases has been simplified by allowing applications to publish beans which are automatically included in the overall OAuth2 Client configuration durin...
Authorization
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized acce...
CVE-2023-2585
CVE-2023-2585 concerns Keycloak’s Device Authorization Grant, where flawed validation of device_code and client_id could allow a malicious OAuth client to spoof a consent request and trick an admin into granting access to other OAuth clients or cause unauthorized access. Connected sources corrobo...