109 matches found
Exposure of Resource to Wrong Sphere
Overview Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere in the TokenKeyResolver function. An attacker can bypass authentication and gain unauthorized access by exploiting the shared static JWKS cache across multiple schemes, allowing a key fetched for one...
CVE-2026-50202
Summary: CVE-2026-50202 affects Steeltoe libraries: Steeltoe.Security.Authentication.CloudFoundryBase < 3.4.0, Steeltoe.Security.Authentication.JwtBearer < 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect
CVE-2026-50202 Steeltoe's static JWKS cache shared across schemes and never invalidated
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.0, Steeltoe.Security.Authentication.JwtBearer prior to version 4.2.0, and...
PT-2026-50566
Name of the Vulnerable Software and Affected Versions Steeltoe.Security.Authentication.CloudFoundryBase versions prior to 3.4.0 Steeltoe.Security.Authentication.JwtBearer versions prior to 4.2.0 Steeltoe.Security.Authentication.OpenIdConnect versions prior to 4.2.0 Description The JWT signing key...
BIT-GRAFANA-2026-33376 Auth Proxy IPv6 whitelist bypass
When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask usually /128 to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here...
CVE-2026-35560
Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. Thi...
CVE-2026-35560
Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. Thi...
CVE-2026-35560 Improper certificate validation in identity provider connection components in Amazon Athena ODBC driver
Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. Thi...
CVE-2026-35560
Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. Thi...
CVE-2026-35560
Affected software: Amazon Athena ODBC Driver prior to 2.1.0.0. Issue: Improper certificate validation in the identity provider connection components can enable a man‑in‑the‑middle attack to intercept authentication credentials when connecting to external identity providers. Impact: Credential int...
PT-2026-30219
Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. Thi...
Keycloak 安全漏洞
Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability, which stems from the SAML endpoint not verifying the status of external identity Providers. This could lead to bypassing security controls and performing unauthorized...
allauth-django 输入验证错误漏洞
allauth-django is an open-source authentication application developed by allauth. Versions of allauth-django prior to 65.14.1 contained a vulnerability related to input validation errors. This vulnerability stemmed from an open redirection issue when SAML-based IdPs enabled SSO, allowing attacker...
CVE-2026-28215
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request wi...
WSO2 API Manager和WSO2 Identity Server(IS) 安全漏洞
WSO2 API Manager and WSO2 Identity Server are both products of the American company WSO2. WSO2 API Manager is a set of API lifecycle management solutions. WSO2 Identity Server is an identity authentication server. Both WSO2 API Manager and WSO2 Identity Server have security vulnerabilities. These...
State of Passkey Authentication in the Wild: A Census of the Top 100K Sites
Passkeys -- discoverable WebAuthn credentials synchronised across devices are widely promoted as the future of passwordless authentication. Built on the FIDO2 standard, they eliminate shared secrets and resist phishing while offering usability through platform credential managers. Since their...
Keycloak < 26.5.3 Multiple Vulnerabilities
Keycloak versions installed prior to 26.5.3 are affected by multiple vulnerabilities as referenced in the advisory. - A flaw in Keycloak where the JSON Web Token JWT authorization grant preview feature fails to validate a user's disabled status during JWT authorization grant processing. When this...
CVE-2026-1486 Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
CVE-2026-1486 Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
CVE-2026-1486
CVE-2026-1486 : In Keycloak, the jwt-authorization-grant flow fails to verify whether an IdP is enabled before issuing tokens. The issuer lookup (lookupIdentityProviderFromIssuer) fetches the IdP config but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to com...