Search
Find a vulnerability
Search criteria
2 vulnerabilities found for ueberauth_apple by ueberauth
CVE-2026-55954 (GCVE-0-2026-55954)
Vulnerability from nvd – Published: 2026-07-14 15:08 – Updated: 2026-07-14 15:56
VLAI
EPSS
VEX
Title
Missing ID token claim validation in ueberauth_apple allows account takeover
Summary
Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.
The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim.
An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.
This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ueberauth/ueberauth_apple/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-55954.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-55954 | related |
| https://github.com/ueberauth/ueberauth_apple/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ueberauth | ueberauth_apple |
Affected:
0.1.0 , < 0.6.2
(semver)
cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:* |
|
| ueberauth | ueberauth_apple |
Affected:
3908a187d045c75994b62ce340c3aa26bb8976b8 , < 01e2d9c9b3134e1b78633ad82d136d5ff4a61f28
(git)
cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55954",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T15:56:35.178814Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T15:56:51.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Ueberauth.Strategy.Apple\u0027",
"\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027"
],
"packageName": "ueberauth_apple",
"packageURL": "pkg:hex/ueberauth_apple",
"product": "ueberauth_apple",
"programFiles": [
"lib/ueberauth/strategy/apple.ex",
"lib/ueberauth/strategy/apple/token.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ueberauth.Strategy.Apple\u0027:handle_callback!/1"
},
{
"name": "\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027:payload/2"
}
],
"repo": "https://github.com/ueberauth/ueberauth_apple",
"vendor": "ueberauth",
"versions": [
{
"lessThan": "0.6.2",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Ueberauth.Strategy.Apple\u0027",
"\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027"
],
"packageName": "ueberauth/ueberauth_apple",
"packageURL": "pkg:github/ueberauth/ueberauth_apple",
"product": "ueberauth_apple",
"programFiles": [
"lib/ueberauth/strategy/apple.ex",
"lib/ueberauth/strategy/apple/token.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ueberauth.Strategy.Apple\u0027:handle_callback!/1"
},
{
"name": "\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027:payload/2"
}
],
"repo": "https://github.com/ueberauth/ueberauth_apple",
"vendor": "ueberauth",
"versions": [
{
"lessThan": "01e2d9c9b3134e1b78633ad82d136d5ff4a61f28",
"status": "affected",
"version": "3908a187d045c75994b62ce340c3aa26bb8976b8",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.6.2",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xRenSec"
},
{
"lang": "en",
"type": "remediation developer",
"value": "AJ Foster"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.\u003cp\u003eThe \u003ctt\u003eUeberauth.Strategy.Apple.Token.payload/2\u003c/tt\u003e function verifies the JWT signature of the callback \u003ctt\u003eid_token\u003c/tt\u003e against Apple\u0027s JWKS but does not validate any registered claims. The \u003ctt\u003eiss\u003c/tt\u003e, \u003ctt\u003eaud\u003c/tt\u003e, \u003ctt\u003eexp\u003c/tt\u003e, and \u003ctt\u003eiat\u003c/tt\u003e claims are read from the token and passed on to \u003ctt\u003eUeberauth.Strategy.Apple.handle_callback!/1\u003c/tt\u003e, which derives the logged-in user\u0027s \u003ctt\u003euid\u003c/tt\u003e and \u003ctt\u003eemail\u003c/tt\u003e directly from the unvalidated \u003ctt\u003esub\u003c/tt\u003e claim.\u003c/p\u003e\u003cp\u003eAn attacker who obtains any Apple-signed ID token bearing the victim\u0027s \u003ctt\u003esub\u003c/tt\u003e (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent \u003ctt\u003eexp\u003c/tt\u003e check makes stolen tokens usable indefinitely, and the absent \u003ctt\u003eaud\u003c/tt\u003e check enables cross-application account takeover across clients that share an Apple developer team.\u003c/p\u003e\u003cp\u003eThis issue affects ueberauth_apple: from 0.1.0 before 0.6.2.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.\n\nThe Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple\u0027s JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user\u0027s uid and email directly from the unvalidated sub claim.\n\nAn attacker who obtains any Apple-signed ID token bearing the victim\u0027s sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.\n\nThis issue affects ueberauth_apple: from 0.1.0 before 0.6.2."
}
],
"impacts": [
{
"capecId": "CAPEC-60",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-60 Reusing Session IDs (aka Session Replay)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T15:08:26.051Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-55954.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-55954"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ueberauth/ueberauth_apple/commit/01e2d9c9b3134e1b78633ad82d136d5ff4a61f28"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Missing ID token claim validation in ueberauth_apple allows account takeover",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-55954",
"datePublished": "2026-07-14T15:08:26.051Z",
"dateReserved": "2026-06-17T17:55:15.686Z",
"dateUpdated": "2026-07-14T15:56:51.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55954 (GCVE-0-2026-55954)
Vulnerability from cvelistv5 – Published: 2026-07-14 15:08 – Updated: 2026-07-14 15:56
VLAI
EPSS
VEX
Title
Missing ID token claim validation in ueberauth_apple allows account takeover
Summary
Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.
The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim.
An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.
This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ueberauth/ueberauth_apple/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-55954.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-55954 | related |
| https://github.com/ueberauth/ueberauth_apple/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ueberauth | ueberauth_apple |
Affected:
0.1.0 , < 0.6.2
(semver)
cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:* |
|
| ueberauth | ueberauth_apple |
Affected:
3908a187d045c75994b62ce340c3aa26bb8976b8 , < 01e2d9c9b3134e1b78633ad82d136d5ff4a61f28
(git)
cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55954",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T15:56:35.178814Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T15:56:51.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Ueberauth.Strategy.Apple\u0027",
"\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027"
],
"packageName": "ueberauth_apple",
"packageURL": "pkg:hex/ueberauth_apple",
"product": "ueberauth_apple",
"programFiles": [
"lib/ueberauth/strategy/apple.ex",
"lib/ueberauth/strategy/apple/token.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ueberauth.Strategy.Apple\u0027:handle_callback!/1"
},
{
"name": "\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027:payload/2"
}
],
"repo": "https://github.com/ueberauth/ueberauth_apple",
"vendor": "ueberauth",
"versions": [
{
"lessThan": "0.6.2",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Ueberauth.Strategy.Apple\u0027",
"\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027"
],
"packageName": "ueberauth/ueberauth_apple",
"packageURL": "pkg:github/ueberauth/ueberauth_apple",
"product": "ueberauth_apple",
"programFiles": [
"lib/ueberauth/strategy/apple.ex",
"lib/ueberauth/strategy/apple/token.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ueberauth.Strategy.Apple\u0027:handle_callback!/1"
},
{
"name": "\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027:payload/2"
}
],
"repo": "https://github.com/ueberauth/ueberauth_apple",
"vendor": "ueberauth",
"versions": [
{
"lessThan": "01e2d9c9b3134e1b78633ad82d136d5ff4a61f28",
"status": "affected",
"version": "3908a187d045c75994b62ce340c3aa26bb8976b8",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.6.2",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xRenSec"
},
{
"lang": "en",
"type": "remediation developer",
"value": "AJ Foster"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.\u003cp\u003eThe \u003ctt\u003eUeberauth.Strategy.Apple.Token.payload/2\u003c/tt\u003e function verifies the JWT signature of the callback \u003ctt\u003eid_token\u003c/tt\u003e against Apple\u0027s JWKS but does not validate any registered claims. The \u003ctt\u003eiss\u003c/tt\u003e, \u003ctt\u003eaud\u003c/tt\u003e, \u003ctt\u003eexp\u003c/tt\u003e, and \u003ctt\u003eiat\u003c/tt\u003e claims are read from the token and passed on to \u003ctt\u003eUeberauth.Strategy.Apple.handle_callback!/1\u003c/tt\u003e, which derives the logged-in user\u0027s \u003ctt\u003euid\u003c/tt\u003e and \u003ctt\u003eemail\u003c/tt\u003e directly from the unvalidated \u003ctt\u003esub\u003c/tt\u003e claim.\u003c/p\u003e\u003cp\u003eAn attacker who obtains any Apple-signed ID token bearing the victim\u0027s \u003ctt\u003esub\u003c/tt\u003e (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent \u003ctt\u003eexp\u003c/tt\u003e check makes stolen tokens usable indefinitely, and the absent \u003ctt\u003eaud\u003c/tt\u003e check enables cross-application account takeover across clients that share an Apple developer team.\u003c/p\u003e\u003cp\u003eThis issue affects ueberauth_apple: from 0.1.0 before 0.6.2.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.\n\nThe Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple\u0027s JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user\u0027s uid and email directly from the unvalidated sub claim.\n\nAn attacker who obtains any Apple-signed ID token bearing the victim\u0027s sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.\n\nThis issue affects ueberauth_apple: from 0.1.0 before 0.6.2."
}
],
"impacts": [
{
"capecId": "CAPEC-60",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-60 Reusing Session IDs (aka Session Replay)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T15:08:26.051Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-55954.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-55954"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ueberauth/ueberauth_apple/commit/01e2d9c9b3134e1b78633ad82d136d5ff4a61f28"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Missing ID token claim validation in ueberauth_apple allows account takeover",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-55954",
"datePublished": "2026-07-14T15:08:26.051Z",
"dateReserved": "2026-06-17T17:55:15.686Z",
"dateUpdated": "2026-07-14T15:56:51.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}