Lucene search
K

5 matches found

Vulnrichment
Vulnrichment
added 2026/05/20 4:13 p.m.7 views

CVE-2026-9087 Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login

A flaw was found in Keycloak. The cross-session verification proof is keyed only by local userId, idpAlias and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account...

6.4CVSS5.8AI score0.00312EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.12 views

PT-2026-42199

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists where the cross-session verification proof is keyed only by the userId and idpAlias and is not bound to the upstream identity that was actually verified. This allows a second...

8.1CVSS5.1AI score0.00312EPSS
Exploits0References14
RedhatCVE
RedhatCVE
added 2026/05/11 8:25 p.m.10 views

CVE-2026-42560

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. ...

9.1CVSS5.7AI score0.00417EPSS
Exploits0References1
CVE
CVE
added 2026/05/09 4:15 a.m.15 views

CVE-2026-42560

The CVE describes a vulnerability in the Patreon OAuth provider used by github.com/go-pkgz/auth, where the mapUser logic computes a local user ID from an uninitialized field, causing every Patreon-authenticated user to share the same local identity. The GHSA advisory details show the code path wh...

9.1CVSS5.7AI score0.00417EPSS
Exploits0References4
OSV
OSV
added 2026/04/30 8:47 p.m.4 views

GHSA-F6QQ-3M3H-4G42 auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation

Summary The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a...

9.1CVSS5.8AI score0.00417EPSS
Exploits0References6
Rows per page
Query Builder