Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-303
Incorrect Implementation of Authentication Algorithm
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
CVE-2026-33190 (GCVE-0-2026-33190)
Vulnerability from cvelistv5 – Published: 2026-05-05 19:02 – Updated: 2026-05-06 12:47
VLAI
Title
CoreDNS TSIG authentication bypass on encrypted DNS transports
Summary
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3 writer's TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/coredns/coredns/security/advis… | x_refsource_CONFIRM |
| https://github.com/coredns/coredns/releases/tag/v1.14.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33190",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T12:46:45.291268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T12:47:07.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coredns",
"vendor": "coredns",
"versions": [
{
"status": "affected",
"version": "\u003c 1.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer\u0027s TsigStatus() instead of performing verification itself. The DoH and DoH3 writer\u0027s TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T19:02:55.374Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
},
{
"name": "https://github.com/coredns/coredns/releases/tag/v1.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
}
],
"source": {
"advisory": "GHSA-qhmp-q7xh-99rh",
"discovery": "UNKNOWN"
},
"title": "CoreDNS TSIG authentication bypass on encrypted DNS transports"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33190",
"datePublished": "2026-05-05T19:02:55.374Z",
"dateReserved": "2026-03-17T22:16:36.721Z",
"dateUpdated": "2026-05-06T12:47:07.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41048 (GCVE-0-2026-41048)
Vulnerability from cvelistv5 – Published: 2026-06-22 15:31 – Updated: 2026-06-22 16:24
VLAI
Title
Caching of Authentication allows Authentication Bypass in qSnapper
Summary
Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like "restore from snapshot" even if only allowed to do "delete snapshot".
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-303 - Incorrect implementation of authentication algorithm
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://security.opensuse.org/2026/05/26/qsnapper… | third-party-advisory |
| https://github.com/presire/qSnapper/releases/tag/v1.3.3 | vendor-advisory |
| https://bugzilla.suse.com/show_bug.cgi?id=1262218 | issue-tracking |
Impacted products
Date Public
2026-05-26 15:09
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:24:42.461147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:24:59.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "qsnapper",
"product": "qSnapper",
"repo": "https://github.com/presire/qSnapper",
"vendor": "presire",
"versions": [
{
"lessThan": "1.3.3",
"status": "affected",
"version": "1.2.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthias Gerstner of SUSE"
}
],
"datePublic": "2026-05-26T15:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like \"restore from snapshot\" even if only allowed to do \"delete snapshot\"."
}
],
"value": "Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like \"restore from snapshot\" even if only allowed to do \"delete snapshot\"."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303 Incorrect implementation of authentication algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:31:14.606Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-auth-caching"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/presire/qSnapper/releases/tag/v1.3.3"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1262218"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Caching of Authentication allows Authentication Bypass in qSnapper",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2026-41048",
"datePublished": "2026-06-22T15:31:14.606Z",
"dateReserved": "2026-04-16T13:37:50.679Z",
"dateUpdated": "2026-06-22T16:24:59.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41049 (GCVE-0-2026-41049)
Vulnerability from cvelistv5 – Published: 2026-06-22 15:32 – Updated: 2026-06-22 16:25
VLAI
Title
Caching of Authentication allows Authentication Bypass between users in qSnapper
Summary
Incorrect caching of authentication between different users of the qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-303 - Incorrect implementation of authentication algorithm
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://security.opensuse.org/2026/05/26/qsnapper… | third-party-advisory |
| https://github.com/presire/qSnapper/releases/tag/v1.3.3 | vendor-advisory |
| https://bugzilla.suse.com/show_bug.cgi?id=1262218 | issue-tracking |
Impacted products
Date Public
2026-05-26 15:09
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:25:21.586546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:25:30.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "qsnapper",
"product": "qSnapper",
"repo": "https://github.com/presire/qSnapper",
"vendor": "presire",
"versions": [
{
"lessThan": "1.3.3",
"status": "affected",
"version": "1.2.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthias Gerstner of SUSE"
}
],
"datePublic": "2026-05-26T15:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect caching of authentication between different users of the\u0026nbsp; qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them."
}
],
"value": "Incorrect caching of authentication between different users of the\u00a0 qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303 Incorrect implementation of authentication algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:32:59.192Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-auth-caching"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/presire/qSnapper/releases/tag/v1.3.3"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1262218"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Caching of Authentication allows Authentication Bypass between users in qSnapper",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2026-41049",
"datePublished": "2026-06-22T15:32:59.192Z",
"dateReserved": "2026-04-16T13:37:50.679Z",
"dateUpdated": "2026-06-22T16:25:30.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41103 (GCVE-0-2026-41103)
Vulnerability from cvelistv5 – Published: 2026-05-12 16:59 – Updated: 2026-06-19 16:13
VLAI
Title
Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability
Summary
Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Confluence SAML SSO plugin |
Affected:
1.0.0 , < 7.4.0
(custom)
|
|
| Microsoft | Microsoft JIRA SAML SSO plugin |
Affected:
1.0.0 , < 1.3.3
(custom)
|
Date Public
2026-05-12 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41103",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T03:57:32.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Microsoft Confluence SAML SSO plugin",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "7.4.0",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
},
{
"product": "Microsoft JIRA SAML SSO plugin",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "1.3.3",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:jira_saml_sso_plugin:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.3.3",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:confluence_saml_sso_plugin:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.4.0",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-05-12T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira \u0026amp; Confluence allows an unauthorized attacker to elevate privileges over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T16:13:02.198Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft SSO Plugin for Jira \u0026 Confluence Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41103"
}
],
"title": "Microsoft SSO Plugin for Jira \u0026 Confluence Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-41103",
"datePublished": "2026-05-12T16:59:32.156Z",
"dateReserved": "2026-04-16T19:12:36.195Z",
"dateUpdated": "2026-06-19T16:13:02.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43640 (GCVE-0-2026-43640)
Vulnerability from cvelistv5 – Published: 2026-05-11 17:14 – Updated: 2026-05-13 14:41 X_Open Source
VLAI
Title
Bitwarden Server < 2026.4.1 Authentication Bypass via SCIM API Key
Summary
Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://sanjokkarki.com.np/blog/bitwarden-scim-ke… | technical-descriptionexploit |
| https://github.com/bitwarden/server/releases/tag/… | release-notes |
| https://github.com/bitwarden/server/pull/7403 | issue-tracking |
| https://github.com/bitwarden/server/commit/eb251d… | patch |
| https://www.vulncheck.com/advisories/bitwarden-se… | third-party-advisory |
Impacted products
Date Public
2026-05-05 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43640",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:38:55.932890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:41:09.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "server",
"repo": "https://github.com/bitwarden/server",
"vendor": "bitwarden",
"versions": [
{
"lessThan": "2026.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sanjok Karki"
}
],
"datePublic": "2026-05-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization\u0027s SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only a valid session."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T17:14:37.931Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://sanjokkarki.com.np/blog/bitwarden-scim-key-bypass"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/bitwarden/server/releases/tag/v2026.4.1"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/bitwarden/server/pull/7403"
},
{
"tags": [
"patch"
],
"url": "https://github.com/bitwarden/server/commit/eb251d9bf80724c87b187661783b9354d1784083"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/bitwarden-server-authentication-bypass-via-scim-api-key"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Bitwarden Server \u003c 2026.4.1 Authentication Bypass via SCIM API Key",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-43640",
"datePublished": "2026-05-11T17:14:37.931Z",
"dateReserved": "2026-05-01T18:22:45.642Z",
"dateUpdated": "2026-05-13T14:41:09.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46389 (GCVE-0-2026-46389)
Vulnerability from cvelistv5 – Published: 2026-06-05 18:10 – Updated: 2026-06-05 19:40
VLAI
Title
UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator`
Summary
UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/defenseunicorns/uds-identity-c… | x_refsource_CONFIRM |
| https://github.com/defenseunicorns/uds-identity-c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| defenseunicorns | uds-identity-config |
Affected:
>= 0.11.0, < 0.26.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T19:40:35.029663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T19:40:55.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "uds-identity-config",
"vendor": "defenseunicorns",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.11.0, \u003c 0.26.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core\u0027s Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client\u0027s service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T18:10:47.173Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/defenseunicorns/uds-identity-config/security/advisories/GHSA-8mg2-6588-r4hw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/defenseunicorns/uds-identity-config/security/advisories/GHSA-8mg2-6588-r4hw"
},
{
"name": "https://github.com/defenseunicorns/uds-identity-config/releases/tag/v0.26.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/defenseunicorns/uds-identity-config/releases/tag/v0.26.1"
}
],
"source": {
"advisory": "GHSA-8mg2-6588-r4hw",
"discovery": "UNKNOWN"
},
"title": "UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46389",
"datePublished": "2026-06-05T18:10:47.173Z",
"dateReserved": "2026-05-13T19:53:47.922Z",
"dateUpdated": "2026-06-05T19:40:55.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8922 (GCVE-0-2026-8922)
Vulnerability from cvelistv5 – Published: 2026-05-19 06:27 – Updated: 2026-06-10 21:22
VLAI
Title
Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org.keycloak/keycloak-services
Summary
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:25097 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25098 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-8922 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2479586 | issue-trackingx_refsource_REDHAT |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6.3-3 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6-6 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6.3 |
cpe:/a:redhat:build_keycloak:26.6::el9 |
Date Public
2026-05-19 06:22
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8922",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T12:53:15.432674Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T13:41:56.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6.3-3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.6.3",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue."
}
],
"datePublic": "2026-05-19T06:22:56.138Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak\u0027s OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T21:22:18.589Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:25097",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"name": "RHSA-2026:25098",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-8922"
},
{
"name": "RHBZ#2479586",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479586"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-18T14:50:44.323Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-19T06:22:56.138Z",
"value": "Made public."
}
],
"title": "Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org.keycloak/keycloak-services",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-303: Incorrect Implementation of Authentication Algorithm"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-8922",
"datePublished": "2026-05-19T06:27:35.781Z",
"dateReserved": "2026-05-19T06:07:42.943Z",
"dateUpdated": "2026-06-10T21:22:18.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-90: Reflection Attack in Authentication Protocol
An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.