26 matches found
GHSA-G759-4PXW-6692 @hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers
Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-697 Incorrect Comparison Summary AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC. The GOIDC1 and GOIDC2 policy rules ar...
@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers
Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-697 Incorrect Comparison Summary AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC. The GOIDC1 and GOIDC2 policy rules ar...
PT-2026-48474
Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-697 Incorrect Comparison Summary AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC. The G OIDC 1 and G OIDC 2 policy rule...
BIT-NEO4J-2026-1524 Auth misconfiguration when multiple providers enabled
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures...
Age Verification in the Web -- Holy Grail to Control Access to Restricted Content
Age verification before accessing restricted content is critical to protecting minors from exposure to harmful material such as pornography, gambling, violence, hateful speech, and substance purchases like alcohol and tobacco. Currently, the absence of reliable age-checking mechanisms allows...
CVE-2026-1524
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures...
CVE-2026-32242
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent...
CVE-2026-32242
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent...
CVE-2026-32242 Parse Server OAuth2 adapter shares mutable state across providers via singleton instance
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent...
CVE-2026-32242
CVE-2026-32242 affects Parse Server: the built-in OAuth2 adapter previously exported a singleton instance shared across all OAuth2 provider configurations. Under concurrent authentication requests for multiple providers configured with oauth2: true, a token validation could run against another pr...
CVE-2026-32242 Parse Server OAuth2 adapter shares mutable state across providers via singleton instance
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent...
CVE-2026-32242 Parse Server OAuth2 adapter shares mutable state across providers via singleton instance
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent...
Race Condition
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Race Condition in the OAuth2 auth adapter. An attacker can gain unauthorized access by exploiting a race condition that caus...
PT-2026-25054
Impact Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's...
Parse Server 竞争条件问题漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.6.0-alpha.11 and 8.6.37 contain a race condition vulnerability. This vulnerability stems from the reuse of singleton instance...
EUVD-2026-11212
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures...
CVE-2026-1524
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures...
CVE-2026-1524 Auth misconfiguration when multiple providers enabled
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures...
CVE-2026-1524 Auth misconfiguration when multiple providers enabled
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures...
CVE-2026-1524
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures...