CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5964 vulnerabilities reference this CWE, most recent first.
GHSA-9QVJ-RPJ8-V5C8
Vulnerability from github – Published: 2025-06-03 15:31 – Updated: 2025-11-14 16:17If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.
Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pekko:pekko-management_2.12"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.lightbend.akka.management:akka-management_2.13"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pekko:pekko-management_2.13"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.pekko:pekko-management_3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.lightbend.akka.management:akka-management_2.12"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.lightbend.akka.management:akka-management_3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46548"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-06T15:33:33Z",
"nvd_published_at": "2025-06-03T15:15:59Z",
"severity": "MODERATE"
},
"details": "If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.\n\n\nUsers that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.",
"id": "GHSA-9qvj-rpj8-v5c8",
"modified": "2025-11-14T16:17:00Z",
"published": "2025-06-03T15:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46548"
},
{
"type": "WEB",
"url": "https://github.com/akka/akka-management/pull/1385"
},
{
"type": "WEB",
"url": "https://github.com/apache/pekko-management/pull/418"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/06/03/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pekko Management may not properly apply authenticator when Basic Authentication is enabled"
}
GHSA-9QXP-4454-64H6
Vulnerability from github – Published: 2022-05-02 00:03 – Updated: 2022-05-02 00:03Unspecified vulnerability in Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.0 before 7.0(8)3, 7.1 before 7.1(2)78, 7.2 before 7.2(4)16, 8.0 before 8.0(4)6, and 8.1 before 8.1(1)13, when configured as a VPN using Microsoft Windows NT Domain authentication, allows remote attackers to bypass VPN authentication via unknown vectors.
{
"affected": [],
"aliases": [
"CVE-2008-3815"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-10-23T22:00:00Z",
"severity": "MODERATE"
},
"details": "Unspecified vulnerability in Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.0 before 7.0(8)3, 7.1 before 7.1(2)78, 7.2 before 7.2(4)16, 8.0 before 8.0(4)6, and 8.1 before 8.1(1)13, when configured as a VPN using Microsoft Windows NT Domain authentication, allows remote attackers to bypass VPN authentication via unknown vectors.",
"id": "GHSA-9qxp-4454-64h6",
"modified": "2022-05-02T00:03:52Z",
"published": "2022-05-02T00:03:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3815"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46024"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5983"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32360"
},
{
"type": "WEB",
"url": "http://www.cisco.com/en/US/products/products_security_advisory09186a0080a183ba.shtml"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/31864"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1021089"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1021090"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/2899"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9R38-F9P6-3F7P
Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed.
{
"affected": [],
"aliases": [
"CVE-2013-2245"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-07-29T13:59:00Z",
"severity": "MODERATE"
},
"details": "rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed.",
"id": "GHSA-9r38-f9p6-3f7p",
"modified": "2022-05-13T01:12:53Z",
"published": "2022-05-13T01:12:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2245"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=232502"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-37818"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9R4H-6JQX-QW6H
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2025-04-20 03:42It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.
{
"affected": [],
"aliases": [
"CVE-2017-12477"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-07T15:29:00Z",
"severity": "CRITICAL"
},
"details": "It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.",
"id": "GHSA-9r4h-6jqx-qw6h",
"modified": "2025-04-20T03:42:19Z",
"published": "2022-05-13T01:04:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12477"
},
{
"type": "WEB",
"url": "https://support.unitrends.com/UnitrendsBackup/s/article/000005755"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43031"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9R6P-3954-JM8W
Vulnerability from github – Published: 2022-05-14 02:38 – Updated: 2022-05-14 02:38Eaton MGEOPS Network Shutdown Module before 3.10 Build 13 allows remote attackers to execute arbitrary code by adding a custom action to the MGE frontend via pane_actionbutton.php, and then executing this action via exec_action.php.
{
"affected": [],
"aliases": [
"CVE-2008-6816"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-05-28T14:30:00Z",
"severity": "HIGH"
},
"details": "Eaton MGEOPS Network Shutdown Module before 3.10 Build 13 allows remote attackers to execute arbitrary code by adding a custom action to the MGE frontend via pane_actionbutton.php, and then executing this action via exec_action.php.",
"id": "GHSA-9r6p-3954-jm8w",
"modified": "2022-05-14T02:38:19Z",
"published": "2022-05-14T02:38:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6816"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46131"
},
{
"type": "WEB",
"url": "http://download.mgeops.com/install/win32/nsm/release_note_nsm_320.txt"
},
{
"type": "WEB",
"url": "http://osvdb.org/50051"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32456"
},
{
"type": "WEB",
"url": "http://www.nruns.com/security_advisory_eaton_mge_ops_network_shutdown_module_authentication_bypass.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/497824/100/100/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/31933"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9R74-CMM5-QV85
Vulnerability from github – Published: 2022-05-17 02:56 – Updated: 2025-04-20 03:33The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
{
"affected": [],
"aliases": [
"CVE-2017-6413"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-02T06:59:00Z",
"severity": "HIGH"
},
"details": "The \"OpenID Connect Relying Party and OAuth 2.0 Resource Server\" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an \"AuthType oauth20\" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.",
"id": "GHSA-9r74-cmm5-qv85",
"modified": "2025-04-20T03:33:32Z",
"published": "2022-05-17T02:56:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6413"
},
{
"type": "WEB",
"url": "https://github.com/pingidentity/mod_auth_openidc/commit/21e3728a825c41ab41efa75e664108051bb9665e"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2112"
},
{
"type": "WEB",
"url": "https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog"
},
{
"type": "WEB",
"url": "https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96549"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9R75-G2CR-3H76
Vulnerability from github – Published: 2026-03-06 18:45 – Updated: 2026-03-06 18:45createWebhook() in Vercel Workflow DevKit accepts a user-specified token parameter that serves as the credential for the public webhook endpoint /.well-known/workflow/v1/webhook/{token}. Official documentation recommended predictable token patterns, making it possible for an unauthenticated remote attacker to guess the token and inject arbitrary payloads into the workflow execution context.
Impact
An attacker who guesses a webhook token can resume the associated workflow with an attacker-controlled HTTP request body, potentially triggering downstream side effects such as API calls, database writes, or deployments.
Fix
- Upgrade to version 4.2.0-beta.64. The fix removes the
tokenoption fromcreateWebhook()so that webhook tokens are always randomly generated by the SDK. - Runs created with versions prior to 4.2.0-beta.64, that are 1) still active (i.e. running), and 2) have open hooks, are still susceptible to this vulnerability. If users suspect the hook tokens are predictable or leaked - consider cancelling those runs and restarting them on the latest patch.
Workarounds
In case a version upgrade is not possible, avoid passing predictable or guessable values to the token parameter of createWebhook(). Instead, users can either
- switch from
createWebhook()tocreateHook()instead and programmatically resume hooks usingresumeHook()instead of the public webhook endpoint, or - use
createWebhook()without passing a user-providedtoken, which uses a non-guessable randomnanoidby default.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.0-beta.63"
},
"package": {
"ecosystem": "npm",
"name": "workflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.0-beta.64"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.0-beta.63"
},
"package": {
"ecosystem": "npm",
"name": "@workflow/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.0-beta.64"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-06T18:45:02Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "`createWebhook()` in Vercel Workflow DevKit accepts a user-specified `token` parameter that serves as the credential for the public webhook endpoint `/.well-known/workflow/v1/webhook/{token}`. Official documentation recommended predictable token patterns, making it possible for an unauthenticated remote attacker to guess the token and inject arbitrary payloads into the workflow execution context.\n\n#### Impact\n\nAn attacker who guesses a webhook token can resume the associated workflow with an attacker-controlled HTTP request body, potentially triggering downstream side effects such as API calls, database writes, or deployments.\n\n#### Fix\n\n* Upgrade to version 4.2.0-beta.64. The fix removes the `token` option from `createWebhook()` so that webhook tokens are always randomly generated by the SDK.\n* Runs created with versions prior to 4.2.0-beta.64, that are 1) still active (i.e. running), and 2) have open hooks, are still susceptible to this vulnerability. If users suspect the hook tokens are predictable or leaked - consider cancelling those runs and restarting them on the latest patch.\n\n#### Workarounds\n\nIn case a version upgrade is not possible, avoid passing predictable or guessable values to the `token` parameter of `createWebhook()`. Instead, users can either\n\n* switch from `createWebhook()` to `createHook()` instead and programmatically resume hooks using `resumeHook()` instead of the public webhook endpoint, or\n* use `createWebhook()` without passing a user-provided `token`, which uses a non-guessable random `nanoid` by default.",
"id": "GHSA-9r75-g2cr-3h76",
"modified": "2026-03-06T18:45:02Z",
"published": "2026-03-06T18:45:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vercel/workflow/security/advisories/GHSA-9r75-g2cr-3h76"
},
{
"type": "WEB",
"url": "https://github.com/vercel/workflow/commit/30e24d441e735635ffa4522198e6905d0e51e175"
},
{
"type": "PACKAGE",
"url": "https://github.com/vercel/workflow"
},
{
"type": "WEB",
"url": "https://github.com/vercel/workflow/releases/tag/workflow%404.2.0-beta.64"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens"
}
GHSA-9R7G-325H-MXRM
Vulnerability from github – Published: 2022-05-17 02:53 – Updated: 2022-07-07 22:54Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.hadoop:hadoop-common"
},
"ranges": [
{
"events": [
{
"introduced": "0.23.0"
},
{
"fixed": "0.23.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.hadoop:hadoop-common"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-0229"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-07T22:54:01Z",
"nvd_published_at": "2017-03-23T20:59:00Z",
"severity": "MODERATE"
},
"details": "Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.",
"id": "GHSA-9r7g-325h-mxrm",
"modified": "2022-07-07T22:54:01Z",
"published": "2022-05-17T02:53:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0229"
},
{
"type": "WEB",
"url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Authentication in Apache Hadoop"
}
GHSA-9R7G-86M8-JW9M
Vulnerability from github – Published: 2022-05-17 01:14 – Updated: 2022-05-17 01:14Juniper Junos 11.4 before R12, 12.1 before R10, 12.1X44 before D35, 12.1X45 before D25, 12.1X46 before D20, 12.1X47 before D10, 12.2 before R8, 12.2X50 before D70, 12.3 before R6, 13.1 before R4-S3, 13.1X49 before D55, 13.1X50 before D30, 13.2 before R4, 13.2X50 before D20, 13.2X51 before D26 and D30, 13.2X52 before D15, 13.3 before R2, and 14.1 before R1, when a RADIUS accounting server is configured as [system accounting destination radius], creates an entry in /var/etc/pam_radius.conf, which might allow remote attackers to bypass authentication via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2014-6379"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-10-14T14:55:00Z",
"severity": "HIGH"
},
"details": "Juniper Junos 11.4 before R12, 12.1 before R10, 12.1X44 before D35, 12.1X45 before D25, 12.1X46 before D20, 12.1X47 before D10, 12.2 before R8, 12.2X50 before D70, 12.3 before R6, 13.1 before R4-S3, 13.1X49 before D55, 13.1X50 before D30, 13.2 before R4, 13.2X50 before D20, 13.2X51 before D26 and D30, 13.2X52 before D15, 13.3 before R2, and 14.1 before R1, when a RADIUS accounting server is configured as [system accounting destination radius], creates an entry in /var/etc/pam_radius.conf, which might allow remote attackers to bypass authentication via unspecified vectors.",
"id": "GHSA-9r7g-86m8-jw9m",
"modified": "2022-05-17T01:14:25Z",
"published": "2022-05-17T01:14:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6379"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96905"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10654"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/70365"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1031010"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9R87-MVCW-X35F
Vulnerability from github – Published: 2026-07-06 20:52 – Updated: 2026-07-06 20:52Summary
Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the email_verified claim was only enforced when present as a boolean false so an absent or non-boolean claim was treated as verified.
Impact
An attacker who could authenticate at the configured OIDC provider with an email matching a victim's Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.
Patches
The fix restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type.
The fix was backported to all supported release lines:
| Release line | Patched version |
|---|---|
| 2.34 | v2.34.2 |
| 2.33 | v2.33.8 |
| 2.32 | v2.32.7 |
| 2.29 (ESR) | v2.29.17 |
Workarounds
Configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.
Resources
- Fix: #25712, #25713
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22450) for independently disclosing this issue!
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.34.0"
},
{
"fixed": "2.34.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.33.0"
},
{
"fixed": "2.33.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.30.0"
},
{
"fixed": "2.32.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/coder/coder/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.29.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55075"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-289"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T20:52:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nTwo flaws in Coder\u0027s OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified.\n\n### Impact\n\nAn attacker who could authenticate at the configured OIDC provider with an email matching a victim\u0027s Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.\n\n### Patches\n\nThe fix restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type.\n\nThe fix was backported to all supported release lines:\n\n| Release line | Patched version |\n|---|---|\n| 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) |\n| 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) |\n| 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) |\n| 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) |\n\n### Workarounds\n\nConfigure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.\n\n### Resources\n\n- Fix: #25712, #25713\n\n### Credits\n\nCoder would like to thank Anthropic\u0027s Security Team (ANT-2026-22450) for independently disclosing this issue!",
"id": "GHSA-9r87-mvcw-x35f",
"modified": "2026-07-06T20:52:13Z",
"published": "2026-07-06T20:52:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coder/coder/security/advisories/GHSA-9r87-mvcw-x35f"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/25712"
},
{
"type": "WEB",
"url": "https://github.com/coder/coder/pull/25713"
},
{
"type": "PACKAGE",
"url": "https://github.com/coder/coder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass"
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.