FKIE_CVE-2026-55954

Vulnerability from fkie_nvd - Published: 2026-07-14 16:17 - Updated: 2026-07-14 16:17
Summary
Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims. The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim. An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team. This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.
Impacted products
Vendor Product Version

{
  "affected": [
    {
      "affectedData": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Ueberauth.Strategy.Apple\u0027",
            "\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027"
          ],
          "packageName": "ueberauth_apple",
          "packageURL": "pkg:hex/ueberauth_apple",
          "product": "ueberauth_apple",
          "programFiles": [
            "lib/ueberauth/strategy/apple.ex",
            "lib/ueberauth/strategy/apple/token.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Ueberauth.Strategy.Apple\u0027:handle_callback!/1"
            },
            {
              "name": "\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027:payload/2"
            }
          ],
          "repo": "https://github.com/ueberauth/ueberauth_apple",
          "vendor": "ueberauth",
          "versions": [
            {
              "lessThan": "0.6.2",
              "status": "affected",
              "version": "0.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Ueberauth.Strategy.Apple\u0027",
            "\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027"
          ],
          "packageName": "ueberauth/ueberauth_apple",
          "packageURL": "pkg:github/ueberauth/ueberauth_apple",
          "product": "ueberauth_apple",
          "programFiles": [
            "lib/ueberauth/strategy/apple.ex",
            "lib/ueberauth/strategy/apple/token.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Ueberauth.Strategy.Apple\u0027:handle_callback!/1"
            },
            {
              "name": "\u0027Elixir.Ueberauth.Strategy.Apple.Token\u0027:payload/2"
            }
          ],
          "repo": "https://github.com/ueberauth/ueberauth_apple",
          "vendor": "ueberauth",
          "versions": [
            {
              "lessThan": "01e2d9c9b3134e1b78633ad82d136d5ff4a61f28",
              "status": "affected",
              "version": "3908a187d045c75994b62ce340c3aa26bb8976b8",
              "versionType": "git"
            }
          ]
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.\n\nThe Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple\u0027s JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user\u0027s uid and email directly from the unvalidated sub claim.\n\nAn attacker who obtains any Apple-signed ID token bearing the victim\u0027s sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.\n\nThis issue affects ueberauth_apple: from 0.1.0 before 0.6.2."
    }
  ],
  "id": "CVE-2026-55954",
  "lastModified": "2026-07-14T16:17:01.093",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-55954",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-07-14T15:56:35.178814Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-07-14T16:17:01.093",
  "references": [
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://cna.erlef.org/cves/CVE-2026-55954.html"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/ueberauth/ueberauth_apple/commit/01e2d9c9b3134e1b78633ad82d136d5ff4a61f28"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-55954"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr"
    }
  ],
  "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "type": "Secondary"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…