CVE-2026-49757

AshAuthentication (versions before 4.14.0 and before 5.0.0-rc.10) is vulnerable to an authentication bypass where OAuth2/OIDC sign-in matches local users by email rather than the issuer/sub identity. An attacker able to provide a victim’s email to an OAuth provider could be signed in to the victi...

Open Redirect in user_oidc login flow via protocol-relative URL bypass

None...

CVE-2026-3531 OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0...

EUVD-2026-14913

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect...

CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

EUVD-2025-204252

The OpenID Connect Generic Client plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'openidconnectgenericauthurl' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for...

NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM)

Impact NeuVector supports login authentication through OpenID Connect. However, the TLS verification which verifies the remote server's authenticity and integrity for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle MITM attacks. Starting from...

OpenBao 日志信息泄露漏洞

OpenBao is an OpenBao open source sensitive data management software. A log information disclosure vulnerability exists in OpenBao versions 2.2.0 through 2.4.1, which stems from audit logs that do not properly edit the original HTTP body, which could lead to the disclosure of ACME authentication...

CVE-2025-57800 Audiobookshelf vulnerable to OIDC token exfiltration and account takeover

Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes Audiobookshelf to store an arbitrary callback in a cookie,...

Linux Distros Unpatched Vulnerability : CVE-2021-32792

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users...

Security Bulletin: A security vulnerability has been discovered in IBM Verify Identity Access OIDC Provider (CVE-2024-56171)

Summary A security vulnerability has been addressed in IBM Verify Identity Access OIDC Provider Vulnerability Details CVEID:CVE-2024-56171 DESCRIPTION: libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in...

OpenID Connect Core 安全漏洞

OpenID Connect Core is a simple identity layer on top of the OAuth 2.0 protocol from the OpenID Foundation. A security vulnerability exists in OpenID Connect Core version 1.0. An attacker can exploit this vulnerability to impersonate a client using a private key JWT...

ceph: rhceph-container: Authentication bypass in CEPH RadosGW

A vulnerability in the Ceph Rados Gateway RadosGW OIDC provider allows attackers to bypass JWT signature verification by supplying a token with "none" as the algorithm alg. This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid token...

The vulnerability of the OpenID Connect Login service for the Keycloak identity and access management software allows a malicious actor to create new session tokens and compromise the confidentiality, integrity, and accessibility of protected information.

The vulnerability of the OpenID Connect Login service for Keycloak identity management and access control is related to the incorrect implementation of the authentication algorithm. Exploiting this vulnerability could allow a malicious actor to create new session tokens remotely, thereby...

CVE-2021-21584

Dell OpenManage Enterprise version 3.5 and OpenManage Enterprise-Modular version 1.30.00 contain an information disclosure vulnerability. An authenticated low privileged attacker may potentially exploit this vulnerability leading to disclosure of the OIDC server credentials...

cxf: OpenId Connect token service does not properly validate the clientId

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...

The vulnerability of WebSphere Application Server for application servers allows attackers to increase their privileges.

The vulnerability of OIDC components and TAI server components of WebSphere Application Server is related to deficiencies in access control. Exploiting this vulnerability can allow a malicious actor to enhance their privileges remotely...