Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
CVE-2024-2374 reports a High-severity XXE in multiple WSO2 products, enabling unauthenticated file reads, limited HTTP resource access, and denial of service via XML entity expansion.
A High-severity OpenStack Keystone LDAP backend bug can treat disabled LDAP users as enabled, allowing authentication and actions until patched or mitigated.
CVE-2026-34457 is a Critical auth bypass in `oauth2-proxy` auth_request deployments where health-check User-Agent matching can grant unauthenticated access to protected upstreams.
CVE-2026-33707 is a critical Chamilo LMS flaw where deterministic `sha1(email)` reset tokens allow unauthenticated password resets, impacting `chamilo/chamilo-lms` <1.11.38 and <2.0.0-RC.3.
GitHub and CVE records report a High OIDC login-path flaw in Vikunja <2.3.0 where email fallback skips TOTP, issuing JWTs without second-factor verification.
YesWeHack reports a Critical auth bypass in WordPress `login-with-azure` (Entra ID/Azure AD SSO) <=2.2.5 enabling forged `id_token` logins as any user; patched in 2.2.6.
CVE-2026-29145 is a Critical Apache Tomcat/Tomcat Native flaw where CLIENT_CERT authentication may not fail as expected when soft-fail is disabled, impacting multiple supported branches.
CVE-2026-1114 is a Critical weak-JWT-signing-secret issue in `parisneo/lollms` <2.2.0 that enables offline key brute-force and forged admin tokens over the network.
CVE-2026-33439 is a critical pre-auth Java deserialization RCE in OpenIdentityPlatform OpenAM <16.0.6, where jato.clientSession can execute commands via crafted serialized objects.
Wordfence published CVE-2026-5465, a High IDOR in WordPress `ameliabooking` <=2.1.3 that lets authenticated Provider users reset passwords for arbitrary accounts, including admins.
CVE-2026-34950 discloses a Critical JWT algorithm confusion in `fast-jwt` <=6.1.0 that can accept attacker-signed tokens when key parsing is bypassed by leading whitespace.
CVE-2026-27124 reports a High-severity OAuth consent-validation flaw in `fastmcp` (<3.2.0) that can let attackers impersonate GitHub users against MCP servers.
A GitHub-reviewed advisory reports a critical auth bypass in `litellm` when JWT auth is enabled, allowing unauthenticated impersonation via an OIDC userinfo cache key collision.
CVE-2026-33175 is a High-severity auth bypass in `oauthenticator` letting Auth0 users with unverified emails impersonate existing JupyterHub accounts when `email` is used as `username_claim`.
CVE-2026-34953 is a critical auth bypass in PraisonAI where arbitrary Bearer tokens authenticate to the MCP server, granting full tool and agent capability access.
CVE-2026-34840 fixes a High-severity OneUptime SAML SSO signature-binding flaw affecting `oneuptime` <10.0.42, enabling low-privilege users to authenticate as other project users.
CVE-2026-34236 discloses insufficient-entropy cookie encryption in `auth0/auth0-php` (>=8.0.0, <8.19.0), allowing attackers to brute-force the key and forge session cookies.
CVE-2026-34076 discloses an unauthenticated SSRF in Clerk’s `clerkFrontendApiProxy` that can exfiltrate `Clerk-Secret-Key` in several `@clerk/*` server SDKs used by Node.js backends.
A Critical advisory for `convoypanel/panel` reports JWT signature verification was missing in SSO, allowing remote attackers to forge tokens and authenticate as arbitrary users.
GitHub advisory for Juju reports a critical TLS authentication flaw allowing unauthenticated network attackers to join the controller’s Dqlite cluster and read/modify all controller data.
CVE-2026-34751 is a critical flaw in `payload` and `@payloadcms/graphql` < `3.79.1`, letting unauthenticated attackers perform actions as users initiating password resets. ([raw.githubusercontent.com](https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34751.json))
A High-severity GitLab CE/EE authorization flaw in Jira Connect installations could let low-privilege authenticated users obtain installation credentials and impersonate the GitLab app.
OpenBao installations using OIDC/JWT auth with `callback_mode=direct` roles can be phished into issuing tokens to an attacker session; fixed in 2.5.2.
CVE-2026-33322 discloses a critical JWT algorithm confusion in MinIO OIDC login that lets attackers with the OIDC ClientSecret forge tokens and obtain S3 credentials.
NVD published a critical jsrsasign DSA domain-parameter validation flaw that can allow forged DSA signatures or X.509 certificates to pass `X509.verifySignature()` checks.
A critical pac4j-jwt flaw lets remote attackers forge authentication tokens via JWE-wrapped PlainJWTs, enabling login as arbitrary users (including admins) in affected versions.
CVE-2026-27197 is a critical SAML SSO flaw in self-hosted Sentry that can enable account takeover in multi-organization instances.