Tag
high
advisory
Sigstore Fulcio Vulnerabilities: OIDC Discovery Redirect Leads to SSRF, JWKS Substitution, and Kubernetes Token Leakage (CVE-2026-49478)
4 TTPsA high-severity vulnerability (CVE-2026-49478) in Sigstore Fulcio's OIDC discovery client allows blind Server-Side Request Forgery (SSRF) via cross-host redirects, facilitates JWKS substitution for cache poisoning, and causes Kubernetes ServiceAccount token leakage to external attackers, potentially compromising supply chain integrity and cluster resources.
Fulcio
supply-chain-security
kubernetes
oidc
ssrf
jwks
cve
4t
critical
advisory
Centrifugo JWKS Cache Authentication Bypass
2 TTPsA critical authentication bypass vulnerability exists in Centrifugo v6's dynamic JWKS endpoint feature, allowing an attacker to bypass JWT authentication for one tenant by leveraging a valid token from another tenant due to incorrect JWKS key caching indexed only by the `kid`.
Centrifugo v6
authentication-bypass
jwt
jwks
centrifugo
web-application
2t