8 matches found
PT-2026-37245
Name of the Vulnerable Software and Affected Versions nuts-node versions prior to 5.4.31 nuts-node versions prior to 6.2.3 Description The v1 access token introspection endpoint '/auth/v1/introspect access token' accepts any JSON Web Token JWT signed by a key present on the node without validatin...
CVE-2026-35594
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication GetLinkShareFromClaims in pkg/models/linksharing.go constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner delet...
SUSE CVE-2025-3879
Vault Community, Vault Enterprise "Vault" Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18...
BIT-VAULT-2025-3879 Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login
Vault Community, Vault Enterprise “Vault” Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18...
CVE-2025-3879
Vault Community, Vault Enterprise “Vault” Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18...
CVE-2025-3879 Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login
Vault Community, Vault Enterprise “Vault” Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18...
PT-2025-18909 · Hashicorp +1 · Vault Community Edition +2
Name of the Vulnerable Software and Affected Versions: Vault Community Edition versions prior to 1.19.1 Vault Enterprise versions prior to 1.19.1, 1.18.7, 1.17.14, 1.16.18 Description: The Azure Auth method in Vault did not correctly validate the claims in the Azure-issued token. This resulted in...
Microsoft Azure AD flaw can lead to account takeover
Researchers have found that a flaw in Microsoft Azure AD can be used by attackers to take over accounts that rely on pre-established trust. In a nutshell, Microsoft Azure AD allows you to change the email address associated with an account without verification of whether you are in control of tha...