27 matches found
CVE-2026-55077 Coder: User-admin role can reset owner account password
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's passwor...
GO-2026-5906 Coder: User-admin role can reset owner account password in github.com/coder/coder
Coder: User-admin role can reset owner account password in github.com/coder/coder...
GHSA-29XF-69GQ-M9JX Coder: User-admin role can reset owner account password
Summary The PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's password. It also did not require the current password when an admin reset another user's password. Note: Exploitation requires the privileg...
keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition
A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers client-type, client-roles, client-attributes, client-scopes are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed...
CVE-2026-9792
A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers client-type, client-roles, client-attributes, client-scopes are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed...
CVE-2026-9792 Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition
A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers client-type, client-roles, client-attributes, client-scopes are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed...
CVE-2026-9792 Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition
A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers client-type, client-roles, client-attributes, client-scopes are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed...
CVE-2026-9792
CVE-2026-9792 – Keycloak Client Policies bypass of ROPC block : A flaw in Keycloak’s Client Policies (org.keycloak.protocol.oidc) allows an unauthenticated attacker to obtain tokens via ROPC grants even when a policy blocks them. The issue occurs when certain condition providers (client-type, cli...
CVE-2026-9792
A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers client-type, client-roles, client-attributes, client-scopes are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed...
Improper Handling of Insufficient Permissions or Privileges
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the org.keycloak.protocol.oidc component when...
Keycloak 安全漏洞
Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability that stems from the org.keycloak.protocol.oidc component. When certain conditions are met, the reject-ropc-grant executor is silently bypassed, allowing unauthenticated...
PT-2026-44183
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the org.keycloak.protocol.oidc component of Keycloak's Client Policies. When specific condition providers—client-type, client-roles, client-attributes, or client-scopes—are...
CVE-2026-1693
The OAuth grant type Resource Owner Password Credentials ROPC flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user...
EUVD-2026-8837
The OAuth grant type Resource Owner Password Credentials ROPC flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user...
CVE-2026-1693
The OAuth grant type Resource Owner Password Credentials ROPC flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user...
CVE-2026-1693
The OAuth grant type Resource Owner Password Credentials ROPC flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user...
CVE-2026-1693
The OAuth grant type Resource Owner Password Credentials ROPC flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user...
CVE-2026-1693 Use of vulnerable Resource Owner Password Credentials flow
The OAuth grant type Resource Owner Password Credentials ROPC flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user...
CVE-2026-1693
PcVue versions 12.0.0–16.3.3 expose a vulnerability where the WebVue, WebScheduler, TouchVue, and SnapVue web services continue to use the OAuth Resource Owner Password Credentials (ROPC) flow, a deprecated grant type. This could allow a remote attacker to steal user credentials. Concretely, the ...
PT-2026-22125
Name of the Vulnerable Software and Affected Versions PcVue versions 12.0.0 through 16.3.3 Description The OAuth grant type Resource Owner Password Credentials ROPC flow is still utilized by the web services supporting the WebVue, WebScheduler, TouchVue, and Snapvue features. This practice, despi...