CVE-2026-40166

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the clientsecret of confidential OAuth2 providers they have previously authenticated against, exposing...

EUVD-2019-2977

Malware in sbrugna...

CVE-2022-2083

The Simple Single Sign On WordPress plugin through 4.1.0 leaks its OAuth clientsecret, which could be used by attackers to gain unauthorized access to the site...

CVE-2024-47083

Power Platform Terraform Provider allows managing environments and other resources within Power Platform. Versions prior to 3.0.0 have an issue in the Power Platform Terraform Provider where sensitive information, specifically the clientsecret used in the service principal authentication, may be...

CVE-2024-47083

CVE-2024-47083 affects the Microsoft Power Platform Terraform Provider. Versions prior to 3.0.0 contain an issue where the service principal authentication’s sensitive data, notably the client_secret, may be exposed in logs due to a logging code error that fails to mask it when logs are persisted...

CVE-2024-47083 Power Platform Terraform Provider has Improper Masking of Secrets in Logs

Power Platform Terraform Provider allows managing environments and other resources within Power Platform. Versions prior to 3.0.0 have an issue in the Power Platform Terraform Provider where sensitive information, specifically the clientsecret used in the service principal authentication, may be...

CVE-2024-0560

A vulnerability was found in 3Scale, when used with Keycloak 15 or RHSSO 7.5.0 and superiors. When the authtype is use3scaleoidcissuerendpoint, the Token Introspection policy discovers the Token Introspection endpoint from the tokenintrospectionendpoint field, but the field was removed on RH-SSO...

Nextcloud: OAuth2 client_secret stored in plain text in the database

An OAuth2 client secret was stored in plain text in a database. If accessed without authorization, this would have allowed the client secret to be easily read, enabling impersonation of any OAuth2 client...

CVE-2022-2083

CVE-2022-2083 affects the WordPress plugin “Simple Single Sign On”

Simple Single Sign On <= 4.1.0 - Authentication Bypass

The plugin leaks its OAuth clientsecret, which could be used by attackers to gain unauthorized access to the site. PoC When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in. The button invokes the following URL:...

GHSA-3858-58W9-WPCG Jenkins OpenId Connect Authentication Plugin showed plain text client secret in configuration form

An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser e.g. malicious extension to retrieve t...

CVE-2021-32753

EdgeX Foundry is an open source project for building a common open framework for internet-of-things edge computing. A vulnerability exists in the Edinburgh, Fuji, Geneva, and Hanoi versions of the software. When the EdgeX API gateway is configured for OAuth2 authentication and a proxy user is...

Denial Of Service (DoS)

matrixsydent is vulnerable to denial of service. Lack of validation of clientsecret and email parameters allows an attacker to cause excessive usage of disk space and memory via malicious input which can potentially lead to an application crash...

CVE-2021-24163

The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form...

CVE-2019-11293

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...

CVE-2019-11293

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...

CVE-2019-11293 UAA logs all query parameters with debug logging level

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...

CVE-2019-11293: UAA logs all query parameters with debug logging level | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Description Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query param. A remote authenticated malicious user could gain access to user credentials via the uaa.log...

Aspen: client_secret Token disclosure

Greetings, I think I've discovered a clientsecret token disclosure. Proof of concept: 1. Go to https://github.com/AspenWeb/experimental-javascript-version/blob/master/www/blog/index.html 2. At the line 6, a clientsecret token it's disclosed...

Information Disclosure

nforce is vulnerable to information disclosure. The vulnerability exists because index.js leaks the clientsecret from the URI generated by getAuthUri...