654 matches found
Shibboleth OIDC OP <3.0.4 - Server-Side Request Forgery
The Shibboleth Identity Provider OIDC OP plugin before 3.0.4 is vulnerable to server-side request forgery SSRF due to insufficient restriction of the requesturi parameter, which allows attackers to interact with arbitrary third-party HTTP services. id: CVE-2022-24129 info: name: Shibboleth OIDC O...
CVE-2026-55672 ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refre...
CVE-2026-55689 OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...
CVE-2026-59819
LiteLLM (proxy for LLM APIs) prior to 1.83.10-stable has a local file read risk via the /health/test_connection endpoint. A privileged caller (e.g., proxy administrator) could supply environment/oidc/file references in litellm_params to read arbitrary local files, exposing sensitive contents. The...
CVE-2026-55076
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string...
CVE-2026-55075 Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link...
PT-2026-56297
Name of the Vulnerable Software and Affected Versions better-auth versions prior to 1.6.11 Description The legacy oidcProvider and mcp plugins expose an OAuth 2.0 token endpoint that fails to authenticate confidential clients during the refresh token grant. The system authenticates requests based...
CVE-2026-14781
A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the emailverified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but...
Origin Validation Error
Overview Affected versions of this package are vulnerable to Origin Validation Error in the OIDC discovery process when the X-Forwarded-Host header is not validated and no allowed-hosts list is configured. An attacker can manipulate the issuer and JWKS URI in the discovery document by supplying a...
PT-2026-55297
Name of the Vulnerable Software and Affected Versions Dapr affected versions not specified Description Dapr Sentry's OIDC discovery endpoint /.well-known/openid-configuration derives the issuer and jwks uri from the request Host. When no allowed-hosts list is configured, the system honors an...
GHSA-F5MR-Q85P-6HH6 Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage
Impact Three security vulnerabilities were identified in the OIDC Discovery client: 1. Blind Server-Side Request Forgery SSRF via Cross-Host Redirects: Fulcio uses an HTTP client to fetch OIDC discovery metadata /.well-known/openid-configuration. Prior to this fix, if a configured issuer returned...
PT-2026-54443
Name of the Vulnerable Software and Affected Versions Fulcio versions prior to 1.8.6 Description Three security issues were identified in the OIDC Discovery client. First, a blind Server-Side Request Forgery SSRF occurs because the HTTP client used to fetch OIDC discovery metadata from the...
GO-2026-5768 ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation) in github.com/zitadel/zitadel
ZITADEL: Missing clientid binding in OIDC authorization code exchange and refresh token flows RFC 6749 Section 4.1.3 violation in github.com/zitadel/zitadel...
ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
Summary A Server-Side Request Forgery SSRF vulnerability was discovered in Zitadel affecting: HTTP Notification Channels: Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks. OIDC BackChannel Logout: Terminates sessions across differe...
Path Equivalence
Overview Affected versions of this package are vulnerable to Path Equivalence in the pathWithoutMatrixParams of AbstractPathMatchingHttpSecurityPolicy via specially crafted HTTP requests containing encoded semicolons, slashes, or backslashes in the request path. An attacker can gain unauthorized...
GHSA-RQFJ-VV8R-XHQC nebula-mesh: Session and OIDC state cookies lack the Secure attribute
internal/web/session.go and internal/web/oidc.go set HttpOnly and SameSite=Lax on every cookie but never Secure. A single plaintext request to the origin operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration discloses the session. Affected All released...
nebula-mesh: Session and OIDC state cookies lack the Secure attribute
internal/web/session.go and internal/web/oidc.go set HttpOnly and SameSite=Lax on every cookie but never Secure. A single plaintext request to the origin operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration discloses the session. Affected All released...
org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services
A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect OIDC Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially...
PT-2026-48541
Name of the Vulnerable Software and Affected Versions nebula-mesh versions prior to 0.3.2 Description Cookies in internal/web/session.go and internal/web/oidc.go are configured with HttpOnly and SameSite=Lax but lack the Secure attribute. This allows a session to be disclosed if a plaintext reque...
Authenticate command with specific mechanism parameter can trigger server crash
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...