Security
Headlines
HeadlinesLatestCVEs

Tag

#oauth

Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts

Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. "The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign," Proofpoint said in a Thursday report. The

The Hacker News
Open in Source
#microsoft#oauth#auth#The Hacker News
GHSA-7rh7-c77v-6434: OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion

### Impact This vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources. The issue stems from `skip_auth_routes` matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints. Example Attack: * Configuration: `skip_auth_routes = [ "^/foo/.*/bar$" ]` * Intended behavior: Allow `/foo/something/bar` * Actual vulnerability: Also allows `/foo/critical_endpoint?param=/bar` Deployments using `skip_auth_routes` with regex patterns containing wildcards or broad matching patterns are most at risk, especially when backend services ignore unknown query para...

GHSA-652x-m2gr-hppm: OAuth2-Proxy's `--gitlab-group` GitLab Group Authorization config flag stopped working in v7.0.0

The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn't restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group` added to the new `X-Forwarded-Groups` header to the upstream application. While adding GitLab project based authorization support in #630, a bug was introduced where the user session's groups field was populated with the `--gitlab-group` config entries instead of pulling the individual user's group membership from the GitLab Userinfo endpoint. When the session groups where compared against the allowed groups for authorization, they matched improperly (since both lists were populated with the same data) so authorization was allowed. ### Impact This impacts GitLab Provider users who relies on group membership for authorization restrictions. Any authenticated users in your GitLab environment can access your application...

GHSA-9g4j-v8w5-7x42: Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources

### Summary Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. ### Patches authentik 2025.4.4 and 2025.6.4 fix this issue. ### Workarounds Adding an expression policy to the user login stage on the respective authentication flow with the expression of ```py return request.context["pending_user"].is_active ``` This expression will only activate the user login stage when the user is active. ### For more information If you have any questions or comments about this advisory: - Email us at [security@goauthentik.io](mailto:security@goauthentik.io).

GHSA-2gxp-6r36-m97r: Cadwyn vulnerable to XSS on the docs page

### Summary The `version` parameter of the `/docs` endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. ### PoC 1. Setup a minimal app following the quickstart guide: https://docs.cadwyn.dev/quickstart/setup/ 2. Click on the following PoC link: http://localhost:8000/docs?version=%27%2balert(document.domain)%2b%27 ### Impact Refer to this [security advisory](https://github.com/Visionatrix/Visionatrix/security/advisories/GHSA-w36r-9jvx-q48v) for an example of the impact of a similar vulnerability that shares the same root cause. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on `Cadwyn` via a one-click attack. A CVSS for the average case may be: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L ### Details The vulnerable code snippet can be found in the 2 functions `swagger_dashboard` and `redoc_dashboard`: https://github.com/zmievsa/cadwyn/blob/main/cadwyn/applications.py#L387-L413 The implementation...

At Least 750 US Hospitals Faced Disruptions During Last Year’s CrowdStrike Outage, Study Finds

Of those, more than 200 appear to have had outages of services related to patient care following CrowdStrike’s disastrous crash, researchers have revealed.

GHSA-6v2p-p543-phr9: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Securing Agentic AI: How to Protect the Invisible Identity Access

AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere; often with a high-privilege API key, OAuth token, or service account that defenders can’t easily see. These “invisible” non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have

GHSA-36rg-gfq2-3h56: Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes

### Summary An open redirect has been found in the `originCheck` middleware function, which affects the following routes: `/verify-email`, `/reset-password/:token`, `/delete-user/callback`, `/magic-link/verify`, `/oauth-proxy-callback`. ### Details In the `matchesPattern` function, `url.startsWith(` can be deceived with a `url` that starts with one of the `trustedOrigins`. ```jsx const matchesPattern = (url: string, pattern: string): boolean => { if (url.startsWith("/")) { return false; } if (pattern.includes("*")) { return wildcardMatch(pattern)(getHost(url)); } return url.startsWith(pattern); }; ``` ### Open Redirect PoCs ```jsx export const auth = betterAuth({ baseURL: 'http://localhost:3000', trustedOrigins: [ "http://trusted.com" ], emailAndPassword: { ... }, }) ``` #### `/reset-password/:token` <img width="481" alt="image" src="https://github.com/user-attachments/assets/46e7871a-1dad-4375-af94-0446e29aaab6" /> <br/> <img width="518" alt...

Model Context Protocol (MCP): Understanding security risks and controls

Model Context Protocol (MCP) is a powerful protocol from Anthropic that defines how to connect large language models (LLMs) to external tools. It has quickly gained traction due to its ease of use and the benefits it adds in our use of AI. In this article we'll cover some of the potential security risks you'll encounter with MCP and how you can approach mitigating them.How MCP worksMCP does not directly connect LLMs with tools. The MCP client component accesses the LLM, and the MCP server component accesses the tools. One MCP client has access to one or more MCP servers. Users may connect any