#oauth

### Impact When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. ### Patches Upgrade to Flask-AppBuilder version 4.8.1 or later ### Workarounds If immediate upgrade is not possible: - Manually disable password reset routes in the application configuration - Implement additional access controls at the web server or proxy level to block access to the reset my password URL. - Monitor for suspicious password reset attempts from disabled accounts

Red Hat helps organizations embrace AI innovation by providing a comprehensive and layered approach to security and safety across the entire AI lifecycle. We use our trusted foundation and expertise in open hybrid cloud to address the challenges around AI security, helping our customers build and deploy AI applications with more trust.Understanding enterprise AI security risksAs organizations adopt AI , they encounter significant security and safety hurdles. These advanced workloads need robust infrastructure and scalable resources and a comprehensive security posture that extends across the A

A new report warns that the number of US investors in powerful commercial spyware rose sharply in 2024 and names new countries linked to the dangerous technology.

### Summary The OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. ### Details When creating or updating OAuth clients, the API validates only that requested scopes exist in the system registry. It does not verify that the requester already possesses the scopes they are assigning, allowing these users to assign arbitrary scopes to OAuth clients. ### Impact This allows contributor-level users to escalate to owner-equivalent privileges, gaining access to user management, system configuration, and permission assignment capabilities they should not possess. ### Patches The vulnerability has been patched in Fides version `2.69.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There are no workarounds. ### Risk Level This vuln...

The breach kickstarted a massive supply chain attack that led to the compromise of hundreds of Salesforce instances through stolen OAuth tokens.

Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. So far, 22 companies have confirmed they were impacted by a supply chain breach. "With

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the

Salesloft Drift breach traced to GitHub compromise and stolen OAuth tokens, Mandiant confirms breach contained and Salesforce data targeted.

Plus: An AI chatbot system is linked to a widespread hack, details emerge of a US plan to plant a spy device in North Korea, your job’s security training isn’t working, and more.

pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation.