BIT-AUTHENTIK-2024-47077 authentik cross-provider token validation problems

authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued...

CVE-2026-34224

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

GHSA-Q6H8-4J2V-PJG4 Minder trusts client-provided mapping from repo name to upstream ID

Summary When using a modified client or the grpc interface directly, the RegisterRepository call accepts both the repository owner / repo and the repoid. Furthermore, these two are not checked for matching before registering webhooks and data in the database. Details It is possible for an attacke...

Denial of service

Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with...