Grafana Says It Rejected Ransom Demand After Source Code Theft

Grafana says hackers stole its source code after accessing a GitHub token, but no customer data or systems were affected...

Ech0's OAuth redirect URI validation ignores path component, enables exchange-code theft

Summary parseAndValidateClientRedirect at internal/service/auth/auth.go:448 validates OAuth client-redirect URIs by comparing only scheme and host against the admin-configured allowlist. Path, query, and fragment are ignored. The initiator at /oauth/:provider/login embeds the caller-supplied...

GHSA-P64J-F4X9-WQ66 Ech0's OAuth redirect URI validation ignores path component, enables exchange-code theft

Summary parseAndValidateClientRedirect at internal/service/auth/auth.go:448 validates OAuth client-redirect URIs by comparing only scheme and host against the admin-configured allowlist. Path, query, and fragment are ignored. The initiator at /oauth/:provider/login embeds the caller-supplied...

PT-2026-34209

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21 Description An incorrect regular expression allows an attacker to bypass OAuth redirect URI validation. An attacker aware of a first-party OAuth application's registered callback URL can create a...

OAuth Authorization Code Theft

SignalK Server is vulnerable to OAuth authorization code theft. The vulnerability is due to the unvalidated HTTP Host header being used to construct the OAuth2 redirecturi, where an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic...

EUVD-2026-18376

Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow...

GHSA-CXJ8-GGF2-P57C Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth...

Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth...

EUVD-2026-18849

OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption...

CVE-2026-34511 OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter

OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption...

CVE-2026-34083

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...

CVE-2026-34083 signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...

CVE-2026-34083

Signal K Server (signalk-server) prior to v2.24.0 contains a code-level vulnerability in its OIDC login/logout flow where an unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because redirectUri is silently unset by default, an attacker can spoof the Host header to direct...

Signal K Server 安全漏洞

The Signal K Server is an open-source marine central server developed by Signal K. Versions of the Signal K Server prior to 2.24.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of unvalidated Host headers in constructing redirect URIs, which could lead to the thef...

GHSA-RWW4-4W9C-7733 FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

Summary While testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHu...

ShinyHunters Claims 1 Petabyte Data Theft from Telecom Giant Telus

ShinyHunters claims it stole up to 1 petabyte of data from Telus Digital, including support recordings, code, and employee records after a breach...

GHSA-WQVH-63MV-9W92 @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass

Impact The experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafte...

CVE-2026-25649 Traccar Vulnerable to Authorization Code Theft via Open Redirect in OIDC Provider Endpoints

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The redirecturi parameter is not validated against a...

CVE-2026-25649

Traccar (open-source GPS tracking) up to version 6.11.1 is affected by CVE-2026-25649 due to an open redirect in two OIDC endpoints. The redirect_uri is not validated against a whitelist, enabling authenticated users to steal OAuth 2.0 authorization codes by steering them to attacker‑controlled U...

CVE-2026-25649 Traccar Vulnerable to Authorization Code Theft via Open Redirect in OIDC Provider Endpoints

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The redirecturi parameter is not validated against a...