2356 matches found
CVE-2025-57735 Apache Airflow: Airflow Logout Not Invalidating JWT
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...
CVE-2025-57735
CVE-2025-57735 affects Airflow where a JWT token used to authenticate a user was not invalidated at logout. The provided sources indicate that Airflow 3.2 introduced a logout token-invalidation mechanism, and upgrading to Airflow 3.2.0 or newer fixes the issue. The CVSS vector in the initial desc...
CVE-2025-57735
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...
CVE-2025-57735 Apache Airflow: Airflow Logout Not Invalidating JWT
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...
Apache Airflow 安全漏洞
Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. Versions of Apache Airflow prior to 3.2 contained security vulnerabilities; these vulnerabilities stemmed from the failure to...
PT-2026-31606
Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.0 Description Apache Airflow is affected by an issue where JWT tokens remain valid after a user logs out, potentially allowing unauthorized access if the token is intercepted. The JWT token associated with ...
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth...
DOM-Based Cross-Site Scripting (XSS)
github.com/zitadel/zitadel, is vulnerable to DOM-Based Cross-Site Scripting XSS. The vulnerability is due to improper validation of the postlogoutredirect parameter in the /logout endpoint, which allows an unauthenticated remote attacker to execute malicious JavaScript in users’ browsers...
CVE-2026-4393
A flaw was found in Drupal Automated Logout. A remote attacker could exploit a Cross-Site Request Forgery CSRF vulnerability to trick an authenticated user into performing unintended actions. This could lead to unauthorized actions being executed on behalf of the user without their consent...
EUVD-2026-16393
Cross-Site Request Forgery CSRF vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2...
CVE-2026-4393
Cross-Site Request Forgery CSRF vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2...
CVE-2026-4393 Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030
Cross-Site Request Forgery CSRF vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2...
CVE-2026-4393
Cross-Site Request Forgery CSRF vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2...
CVE-2026-4393 Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030
Cross-Site Request Forgery CSRF vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2...
CVE-2026-4393
The CVE-2026-4393 issue is a CSRF vulnerability in the Drupal Automated Logout module. The Root Cause: the logout routes are not sufficiently protected against CSRF, enabling an authenticated user to trigger unintended actions. Affected software: Drupal Automated Logout module; affected versions ...
CVE-2025-15553
Non-working logout functionality in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password...
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...
EUVD-2026-16142
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...
Server-side Request Forgery (SSRF)
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the clientsessionhost parameter during refresh token requests when the...
GHSA-22RM-WP4X-V5CX Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...