Lucene search
+L

1196 matches found

OSV
OSV
added 2026/05/08 3:14 p.m.2 views

CVE-2026-41070 openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on SSO auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode shared library loaded by OpenVPN via the plugin...

10CVSS5.9AI score0.00438EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.11 views

openvpn-auth-oauth2 授权问题漏洞

OpenVPN-Auth-OAuth2 is a single-signpoint login authentication integration tool developed by Jan-Otto Kröpke. In versions 1.26.3 to 1.27.3 of OpenVPN-Auth-OAuth2, there were authorization-related vulnerabilities. These vulnerabilities occurred when clients did not support WebAuth/SSO in...

10CVSS5.8AI score0.00438EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/05 9:17 p.m.5 views

Improper Authentication

Overview github.com/pocketbase/pocketbase/forms is a realtime backend in 1 file Affected versions of this package are vulnerable to Improper Authentication in the OAuth2 autolinking process. An attacker can gain unauthorized access to a victim's account by pre-registering an unverified user with...

7.6CVSS5.8AI score0.00247EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.11 views

CVE-2026-7679

A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication...

7.5CVSS6.8AI score0.00414EPSS
Exploits0References1
OSV
OSV
added 2026/05/04 1:12 p.m.9 views

JLSEC-2026-437 When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a...

When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with eithe...

5.3CVSS7.1AI score0.00333EPSS
Exploits1References6
CVE
CVE
added 2026/05/03 4:15 a.m.28 views

CVE-2026-7679

YunaiV yudao-cloud (up to 2026.01) is affected. The flaw resides in OAuth2TokenServiceImpl.java (getAccessToken) where manipulation leads to improper authentication. The issue is exploitable remotely with a PROOF-OF-CONCEPT exploit and no remediation details are provided in the available document...

7.5CVSS6.8AI score0.00414EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/03 4:15 a.m.8 views

CVE-2026-7679

A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication...

7.5CVSS6.8AI score0.00414EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/28 6:24 p.m.8 views

CVE-2026-40575

A flaw was found in OAuth2 Proxy. When configured with --reverse-proxy and either --skip-auth-regex or --skip-auth-route, the proxy may trust a client-supplied X-Forwarded-Uri header. An unauthenticated remote attacker can exploit this by spoofing the header, leading to an authentication bypass...

9.1CVSS5.5AI score0.00477EPSS
Exploits0References4
vulnersOsv
vulnersOsv
added 2026/04/28 12:31 a.m.22 views

africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-application (>=1.0.0 <=1.2.0) +39336 more potentially affected by CVE-2026-40973 via org.springframework.boot:spring-boot (>=1.0.0.RELEASE <=2.7.3)

org.springframework.boot:spring-boot MAVEN version =1.0.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =4.4.0.0, =4.6.0.0 and more Source cves: CVE-2026-40973 Source advisory: OSV:GHSA-WWPQ-F5C3-7HVX...

7CVSS5.7AI score0.00136EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/04/27 9:10 p.m.4 views

CVE-2026-41059

A flaw was found in OAuth2 Proxy. An unauthenticated attacker can exploit a configuration-dependent authentication bypass by sending a crafted request containing a number sign in the path. This allows the OAuth2 Proxy to incorrectly match a public allowlist rule, leading to the exposure of...

8.2CVSS5.3AI score0.00275EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/23 10:46 p.m.5 views

CVE-2026-40574

A flaw was found in OAuth2 Proxy, a reverse proxy providing authentication using OAuth2 providers. A remote attacker can exploit an authorization bypass vulnerability by crafting a malicious email claim. This allows the attacker to bypass emaildomain restrictions, which are used to limit access t...

6.8CVSS5.8AI score0.00209EPSS
Exploits0References4
OSV
OSV
added 2026/04/23 8:47 a.m.7 views

BIT-OAUTH2-PROXY-2026-40575 OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied X-Forwarded-Uri header when --reverse-proxy is enabled and --skip-auth-regex or --skip-auth-route is configured. An attacker can spoof this header so OAut...

9.1CVSS5.8AI score0.00477EPSS
Exploits0References5
OSV
OSV
added 2026/04/22 2:28 p.m.5 views

GHSA-246W-JGMQ-88FG openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access

Summary When openvpn-auth-oauth2 is deployed in the experimental plugin mode shared library loaded by OpenVPN via the plugin directive, clients that do not support WebAuth/SSO e.g., the openvpn CLI on Linux are incorrectly admitted to the VPN despite being denied by the authentication logic. The...

10CVSS5.8AI score0.00438EPSS
Exploits0References8
vulnersOsv
vulnersOsv
added 2026/04/22 6:30 a.m.12 views

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +307 more potentially affected by CVE-2026-22748 via org.springframework.security:spring-security-oauth2-jose (>=7.0.0 <=7.0.4)

org.springframework.security:spring-security-oauth2-jose MAVEN version =7.0.0, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4...

6.5CVSS5.7AI score0.00203EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/22 6:30 a.m.11 views

cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.3.0.0 <=3.3.2.2), cn.herodotus.engine:oauth2-core (>=3.3.0.0 <=3.3.2.2) +249 more potentially affected by CVE-2026-22748 via org.springframework.security:spring-security-oauth2-jose (>=6.3.0 <=6.3.10)

org.springframework.security:spring-security-oauth2-jose MAVEN version =6.3.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.1 and more Source cves: CVE-2026-22748 Source advisory:...

6.5CVSS5.8AI score0.00203EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/22 6:30 a.m.10 views

cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.4.0.0 <=3.4.0.1), cn.herodotus.engine:oauth2-core (>=3.4.0.0 <=3.4.0.1) +111 more potentially affected by CVE-2026-22748 via org.springframework.security:spring-security-oauth2-jose (>=6.4.0 <=6.4.13)

org.springframework.security:spring-security-oauth2-jose MAVEN version =6.4.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.5 and more Source cves: CVE-2026-22748 Source advisory:...

6.5CVSS5.4AI score0.00203EPSS
Exploits0
OSV
OSV
added 2026/04/22 6:30 a.m.5 views

GHSA-CVC6-Q2CP-2XHW Spring Security has Potential Security Misconfiguration when Using withIssuerLocation

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

5.3CVSS5.8AI score0.00203EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/22 5:15 a.m.4 views

CVE-2026-22748 Potential Security Misconfiguration when Using withIssuerLocation

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

5.3CVSS5.7AI score0.00203EPSS
Exploits0References1
NVD
NVD
added 2026/04/22 12:16 a.m.10 views

CVE-2026-41059

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of skipauthroutes or the legacy skipauthregex; use of patterns...

8.2CVSS0.00275EPSS
Exploits0References1
NVD
NVD
added 2026/04/22 12:16 a.m.9 views

CVE-2026-40575

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied X-Forwarded-Uri header when --reverse-proxy is enabled and --skip-auth-regex or --skip-auth-route is configured. An attacker can spoof this header so OAut...

9.1CVSS0.00477EPSS
Exploits0References4
Rows per page
Query Builder