Authentication

A timestamp handling issue in Stigmem-node's federation peer token validation could cause valid peer tokens to be incorrectly treated as expired, impacting availability and reliability of authenticated federation flows, affecting versions prior to 0.9.0a2.

A public exploit has been published for CVE-2026-44596, a vulnerability in yamcs-core where the /auth/token authentication endpoint lacks rate limiting, allowing unauthenticated remote attackers to perform unlimited password guessing attempts against any user account, fixed in version 5.12.7.

An authenticated remote attacker can exploit a vulnerability in Keycloak to bypass security measures.

Microsoft published information regarding CVE-2026-7168, a cross-proxy Digest authentication state leak.

eduMFA versions prior to 2.9.1 are vulnerable to replay attacks due to a missing expiration flag in userless Passkey/WebAuthn challenges, potentially leading to unauthorized access.

Better Auth versions before 1.4.17 and pre-release versions before 1.5.0-beta.9 are vulnerable to CVE-2026-45364, a rate-limiting bypass that allows IPv6 clients to rotate through numerous source addresses or vary the textual encoding of one IPv6 address, effectively defeating rate limiting on authentication endpoints, potentially leading to credential stuffing, account enumeration, and amplification of password-reset email fan-out.

A vulnerability in Fleet versions prior to 4.82.0 allows authentication tokens from any Azure AD tenant to be accepted, enabling unauthorized device enrollment and MDM API access due to improper JWT signature validation, tracked as CVE-2026-24899.

CVE-2026-41103 describes an incorrect implementation of the authentication algorithm in Microsoft SSO Plugin for Jira & Confluence, allowing an unauthorized attacker to elevate privileges over a network.

DevGuard versions before 1.2.2 are vulnerable to unauthenticated identity assertion via a client-supplied `X-Admin-Token` HTTP request header, potentially granting attackers full control over organizations if they can guess an admin/owner's Kratos identity UUID.

pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication, where a malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count, leading to CPU exhaustion.

A critical vulnerability (CVE-2026-42354) exists in Sentry's SAML SSO implementation that allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance, affecting self-hosted users with multiple organizations configured if a malicious user has permissions to modify SSO settings, while Sentry SaaS was patched in April and self-hosted users are advised to upgrade to version 26.4.1 or higher.

A stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook versions 7.0.0 through 7.5.5 and JupyterLab versions up to 4.5.6 allows attackers to steal authentication tokens by tricking users into interacting with malicious notebook files, leading to complete account takeover via the Jupyter REST API.

Admidio's SAML Identity Provider implementation fails to properly validate signatures on SAML AuthnRequests and LogoutRequests, enabling attackers to bypass signature enforcement, potentially disclose user attributes via forged SSO requests, and terminate user sessions via forged SLO requests.

OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation by declaring operator scopes on non-Control-UI clients.

A critical vulnerability in Sentry's SAML SSO implementation allows account takeover by exploiting improper authentication when multiple organizations are configured, affecting versions 21.12.0 to 26.2.0 and requiring a malicious SAML Identity Provider and knowledge of the victim's email address.

BugSink 2.1.0 is vulnerable to an authenticated file write vulnerability (CVE-2026-40162) allowing an attacker with a valid authentication token to write arbitrary content to the filesystem, potentially leading to code execution or data compromise.

The kcp cache server is exposed without authentication, allowing unauthorized read access to sensitive data and a race condition for write access that could lead to temporary privilege escalation.

A vulnerability in the distribution toolkit prior to 3.1.0 allows a malicious upstream registry or man-in-the-middle attacker to redirect authentication requests, potentially exposing upstream credentials.

The fast-jwt library fails to validate the 'crit' header, allowing attackers to bypass security policies and potentially achieve split-brain verification in mixed-library environments.

CVE-2026-35561 describes an insufficient authentication security control vulnerability in the browser-based authentication components of the Amazon Athena ODBC driver before version 2.1.0.0, potentially allowing a threat actor to intercept or hijack authentication sessions.

Better Auth versions prior to 1.4.9 have a critical two-factor authentication bypass vulnerability; when session.cookieCache is enabled, the initial sign-in session may be improperly cached, allowing attackers with valid credentials to bypass 2FA.

An improper authentication vulnerability (CVE-2026-32173) in the Azure SRE Agent allows an unauthorized attacker to disclose sensitive information over the network, potentially leading to data breaches or further compromise.

CVE-2026-3872 is a vulnerability in Keycloak that allows an attacker controlling a path on the same web server to bypass URI redirect validation using a wildcard, potentially leading to access token theft and information disclosure.

GitLab CE/EE versions 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 are vulnerable to improper authorization checks in Jira Connect installations, allowing an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab application.

An anonymous, remote attacker can exploit a vulnerability in MIT Kerberos to bypass security measures.

Detection of Bitbucket user login failures, potentially indicating credential access attempts, initial access attempts, or other malicious activity.

Detection of successful authentications originating from geographic locations outside of an organization's expected operational footprint, potentially indicating compromised credentials or unauthorized access.

The Auth0.js SDK versions 8.11.0 to 9.32.0 improperly returns user profile information when provided a crafted invalid ID token, potentially bypassing access controls relying on Auth0 Actions.

phpMyFAQ is vulnerable to an unauthenticated 2FA brute-force attack via the `/admin/check` endpoint, allowing attackers to bypass two-factor authentication and gain administrative access.

The Patreon OAuth provider in go-pkgz/auth and go-pkgz/auth/v2 maps every authenticated Patreon account to the same local user ID, leading to cross-account access, privilege confusion, and subscription-state leakage.

OpenEMR version 7.0.1 is vulnerable to an authentication brute force attack where attackers can bypass rate limiting by sending repeated login attempts, leading to potential unauthorized access.

Katalyst Koi versions before 4.20.0 and between 5.0.0 and 5.6.0 fail to invalidate admin session cookies upon logout, allowing attackers with a valid cookie to maintain unauthorized access.

Detects a significant increase (10% or greater) in failed Azure AD sign-in attempts, potentially indicating brute-force attacks, credential stuffing, or other unauthorized access attempts.