14 matches found
CVE-2026-21621 Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
EEF-CVE-2026-21621 Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
EUVD-2025-4683
Malicious code in bioql PyPI...
CVE-2025-26620
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other...
GHSA-QXJ7-2X7W-3MPP Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other...
CVE-2025-26620
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
PT-2025-7217 · Duende · Duende.Accesstokenmanagement
Name of the Vulnerable Software and Affected Versions: Duende.AccessTokenManagement affected versions not specified Description: Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token...
SUSE-SU-2024:1486-2 Security update for cosign
This update for cosign fixes the following issues: - CVE-2024-29902: Fixed denial of service on host machine via remote image with a malicious attachments bsc1222835 - CVE-2024-29903: Fixed denial of service on host machine via malicious software artifacts bsc1222837 Other fixes: - Updated to 2.2...
keycloak: Client Registration endpoint does not check token revocation
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information...
PT-2023-16006 · Keycloak +1 · Keycloak
Name of the Vulnerable Software and Affected Versions: Keycloak affected versions not specified Description: A flaw was found in Keycloak where it did not properly check client tokens for possible revocation in its client credential flow. This allows an attacker to access or modify potentially...