21 matches found
CVE-2026-21621 Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
EEF-CVE-2026-21621 Improper Scope Enforcement in OAuth client_credentials Flow Allows Read-Only API Key to Escalate to Full Access
Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...
CVE-2026-1693
The OAuth grant type Resource Owner Password Credentials ROPC flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user...
EUVD-2026-8837
The OAuth grant type Resource Owner Password Credentials ROPC flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user...
CVE-2026-1693
PcVue’s WebVue, WebScheduler, TouchVue and Snapvue features allegedly continue to use the OAuth Resource Owner Password Credentials (ROPC) grant flow in versions 12.0.0–16.3.3, despite deprecation. The description, drawn from NVD/CVE records, states this could allow a remote attacker to steal use...
CVE-2026-1693 Use of vulnerable Resource Owner Password Credentials flow
The OAuth grant type Resource Owner Password Credentials ROPC flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user...
EUVD-2025-4683
Malicious code in bioql PyPI...
CVE-2025-26620
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other...
GHSA-QXJ7-2X7W-3MPP Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other...
CVE-2025-26620
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
PT-2025-7217 · Duende · Duende.Accesstokenmanagement
Name of the Vulnerable Software and Affected Versions: Duende.AccessTokenManagement affected versions not specified Description: Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token...
SUSE-SU-2024:1486-2 Security update for cosign
This update for cosign fixes the following issues: - CVE-2024-29902: Fixed denial of service on host machine via remote image with a malicious attachments bsc1222835 - CVE-2024-29903: Fixed denial of service on host machine via malicious software artifacts bsc1222837 Other fixes: - Updated to 2.2...
keycloak: Client Registration endpoint does not check token revocation
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information...
keycloak: Client Registration endpoint does not check token revocation
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information...
Ricoh MP C4504ex 安全漏洞
The Ricoh MP C4504ex is a printer from Ricoh Japan. A security vulnerability exists in the Ricoh MP C4504ex version 1.06, which stems from an incorrect processing credentials flow...
PT-2023-16006 · Keycloak +1 · Keycloak
Name of the Vulnerable Software and Affected Versions: Keycloak affected versions not specified Description: A flaw was found in Keycloak where it did not properly check client tokens for possible revocation in its client credential flow. This allows an attacker to access or modify potentially...