Lucene search
K

147 matches found

EUVD
EUVD
added 4 hours ago5 views

EUVD-2026-43305

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token...

5.9CVSS6.1AI score
Exploits0References2
OSV
OSV
added 2026/06/25 6:43 p.m.4 views

GO-2026-5388 Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback in github.com/nhost/nhost

Nhost Leaks Refresh Tokens via URL Query Parameter in OAuth Provider Callback in github.com/nhost/nhost...

7.5CVSS5.8AI score0.00267EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/06/24 9:4 p.m.22 views

CVE-2026-49277 Rocket.Chat: OAuth access and refresh tokens remain valid after account deactivation

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth...

2.3CVSS0.00215EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/24 9:4 p.m.9 views

CVE-2026-49277

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth...

2.3CVSS5.9AI score0.00215EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/23 8:3 p.m.29 views

CVE-2026-53928 NocoDB: Refresh Tokens Persist Through Password Recovery

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForg...

6.3CVSS0.00242EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 8:3 p.m.19 views

CVE-2026-53928

NocoDB (CVE-2026-53928) had a flaw where a stolen refresh token could survive a password-forgot flow and be used to mint new JWTs after password reset. The root cause was that passwordForgot only rotated token_version and revoked OAuth tokens, but did not call UserRefreshToken.deleteAllUserToken(...

6.3CVSS5.9AI score0.00242EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/06/17 2:7 p.m.5 views

NPM: NocoDB: Refresh Tokens Persist Through Password Recovery

NPM: NocoDB: Refresh Tokens Persist Through Password Recovery vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...

6.3CVSS5.8AI score0.00242EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/12 11:7 a.m.8 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview org.apache.cxf:cxf-rt-rs-security-oauth2 is a services framework. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition due to a race condition in the AbstractOAuthDataProvider method when handling refresh tokens if the recycleRefreshTokens...

9.1CVSS5.4AI score0.00294EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 10:16 a.m.15 views

CVE-2026-50631

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or...

7.4CVSS0.00294EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 8:59 a.m.43 views

CVE-2026-50631

CVE-2026-50631 : A TOCTOU race condition in Apache CXF's AbstractOAuthDataProvider allows concurrent requests to reuse the same Refresh Token when recycleRefreshTokens is false, bypassing single-use semantics and generating multiple valid Access Tokens. This can enable token replay/abuse by multi...

7.4CVSS5.3AI score0.00294EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/12 8:59 a.m.12 views

EUVD-2026-36399

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or...

7.4CVSS5.2AI score0.00294EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/05 4:43 p.m.45 views

NocoDB: OAuth Tokens Persist Through Security Events

Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. Details revokeAllOAuthTokensByUser in the users service was an empty stub bein...

6.3CVSS5.5AI score0.00295EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/05 4:43 p.m.13 views

GHSA-G72G-R7M4-9X4G NocoDB: OAuth Tokens Persist Through Security Events

Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. Details revokeAllOAuthTokensByUser in the users service was an empty stub bein...

6.3CVSS5.5AI score0.00295EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/05 12:0 a.m.13 views

PT-2026-49060

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description OAuth access and refresh tokens are not revoked when a user changes, resets, or recovers their password. This occurs because the revokeAllOAuthTokensByUser function in the users service was an emp...

6.3CVSS5.9AI score0.00295EPSS
Exploits0References9
The Hacker News
The Hacker News
added 2026/06/03 2:56 p.m.13 views

Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse t...

7.7CVSS5.8AI score0.00249EPSS
Exploits0
HackRead
HackRead
added 2026/05/31 2:54 p.m.18 views

27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens

A malicious Codex UI npm package with 27,000 weekly downloads was caught exfiltrating OpenAI refresh tokens, exposing developers to account takeover risks...

5.8AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/05/28 4:47 a.m.12 views

CVE-2026-9802 Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been...

6.8CVSS5.7AI score0.00305EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/28 4:47 a.m.48 views

CVE-2026-9802 Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been...

6.8CVSS0.00305EPSS
Exploits0References6
CVE
CVE
added 2026/05/28 4:47 a.m.42 views

CVE-2026-9802

Keycloak contains a vulnerability where, with revokeRefreshToken=true and persistent session storage, a server restart can reset internal timing mechanisms, enabling a remote attacker who has captured a user’s refresh token to replay it after revocation. This can grant unauthorized access to the ...

6.8CVSS5.7AI score0.00305EPSS
Exploits0References6Affected Software1
The Hacker News
The Hacker News
added 2026/05/19 11:30 a.m.16 views

The New Phishing Click: How OAuth Consent Bypasses MFA

In February 2026, a phishing-as-a-service PhaaS platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogi...

6.1AI score
Exploits0
Rows per page
Query Builder