CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

61 matches found

CVE-2026-11717

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint RFC 7662, the toolbox decodes the response into an introspectResp struct where t...

9.3CVSS0.00195EPSS

Exploits0References1

EUVD•added 5 days ago•10 views

EUVD-2026-37880

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...

9.3CVSS5.4AI score0.00204EPSS

Exploits0References1

CVE•added 5 days ago•22 views

CVE-2026-11717

CVE-2026-11717 details an authentication bypass in googleapis/mcp-toolbox, specifically in the validateOpaqueToken path. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp with Active as a *bool. The ...

9.3CVSS5.4AI score0.00195EPSS

Exploits0References1

EUVD•added 5 days ago•9 views

EUVD-2026-37879

9.3CVSS5.4AI score0.00195EPSS

Exploits0References1

Veracode•added 2026/06/15 12:0 p.m.•7 views

Improper Access Control

Keycloak is vulnerable to Improper Access Control. The vulnerability is due to insufficient audience restriction enforcement in the OpenID Connect token introspection endpoint, which allows an authenticated confidential client to access sensitive token claims intended for other resource servers...

6.5CVSS5.2AI score0.00366EPSS

Exploits0References9Affected Software1

NVD•added 2026/06/12 10:16 a.m.•11 views

CVE-2026-50623

An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint /services/oauth2/introspect can be accessed by any unauthenticated network attacker. However note that th...

4.8CVSS0.00435EPSS

Exploits0References2

EUVD•added 2026/06/12 8:52 a.m.•8 views

EUVD-2026-36393

6.5CVSS5.3AI score0.00435EPSS

Exploits0References1

Vulnrichment•added 2026/06/12 8:52 a.m.•10 views

CVE-2026-50623 Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService

5.3AI score0.00435EPSS

Exploits0References1

Cvelist•added 2026/06/12 8:52 a.m.•24 views

CVE-2026-50623 Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService

0.00435EPSS

Exploits0References1

CVE•added 2026/06/12 8:52 a.m.•16 views

CVE-2026-50623

CVE-2026-50623 affects Apache CXF’s OAuth2 TokenIntrospectionService. A missing 'throw' in the security context check permits access to the introspection endpoint (/services/oauth2/introspect) by any unauthenticated network attacker. This bypass is tied to a safeguard condition when authenticatio...

4.8CVSS5.4AI score0.00435EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2026/06/12 12:0 a.m.•7 views

PT-2026-48845

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 4.2.2 Apache CXF versions prior to 4.1.7 Description An authentication bypass exists in the OAuth2 TokenIntrospectionService. A missing 'throw' keyword in the security context check allows unauthenticated network...

6.5CVSS5.3AI score0.00435EPSS

Exploits0References7

RedhatCVE•added 2026/06/05 7:36 p.m.•9 views

CVE-2026-41671

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

6.8CVSS5.4AI score0.00323EPSS

Exploits0References1

RedHat Linux•added 2026/05/20 11:23 a.m.•54 views

keycloak: Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...

6.5CVSS5.7AI score0.00366EPSS

Exploits0References4

Github Security Blog•added 2026/05/19 12:31 p.m.•7 views

Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass

6.5CVSS5.7AI score0.00366EPSS

Exploits0References8Affected Software1

OSV•added 2026/05/19 12:31 p.m.•8 views

GHSA-4X37-HW65-52W8 Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass

6.5CVSS5.7AI score0.00366EPSS

Exploits0References8

NVD•added 2026/05/19 12:16 p.m.•22 views

CVE-2026-37979

6.5CVSS0.00366EPSS

Exploits0References4

Cvelist•added 2026/05/19 10:52 a.m.•41 views

CVE-2026-37979 Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience bypass

6.5CVSS0.00366EPSS

Exploits0References4

CVE•added 2026/05/19 10:52 a.m.•42 views

CVE-2026-37979

Keycloak CVE-2026-37979 describes an information-disclosure via the OIDC token introspection endpoint where an attacker-controlled but credentialed confidential client can bypass audience restrictions, exposing token claims intended for other resource servers. Impact is confidentiality of lightwe...

6.5CVSS5.8AI score0.00366EPSS

Exploits0References4Affected Software1

Vulnrichment•added 2026/05/19 10:52 a.m.•7 views

CVE-2026-37979 Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience bypass

6.5CVSS5.8AI score0.00366EPSS

Exploits0References4

EUVD•added 2026/05/19 10:52 a.m.•13 views

EUVD-2026-30887

6.5CVSS5.8AI score0.00366EPSS

Exploits0References2

Rows per page