Metrics
Affected Vendors & Products
Wed, 08 Jul 2026 07:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | PIA OIDC Issuer Allowlist Prefix Validation Error Allowing Unauthorized Outbound Requests |
Tue, 07 Jul 2026 14:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | PIA OIDC Issuer Allowlist Prefix Validation Error Allowing Unauthorized Outbound Requests |
Tue, 07 Jul 2026 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OIDC Issuer Allowlist Validation Flaw in Eclipse PIA Enables Authentication Bypass and Outbound Requests |
Mon, 06 Jul 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Eclipse
Eclipse eclipse Pia |
|
| Vendors & Products |
Eclipse
Eclipse eclipse Pia |
Mon, 06 Jul 2026 02:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OIDC Issuer Allowlist Validation Flaw in Eclipse PIA Enables Authentication Bypass and Outbound Requests |
Sat, 04 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OIDC Issuer Allowlist Bypass Leading to Arbitrary Outbound Requests |
Sat, 04 Jul 2026 05:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OIDC Issuer Allowlist Bypass Leading to Arbitrary Outbound Requests |
Sat, 04 Jul 2026 02:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 03 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unvalidated OIDC Issuer Allowlist Enables Forced External Requests and Unauthorized Token Acceptance |
Fri, 03 Jul 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unvalidated OIDC Issuer Allowlist Enables Forced External Requests and Unauthorized Token Acceptance |
Fri, 03 Jul 2026 04:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unvalidated OIDC Issuer Prefix Check Exploit |
Thu, 02 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unvalidated OIDC Issuer Prefix Check Exploit |
Thu, 02 Jul 2026 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://ci.eclipse.org@evil.host (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key. | |
| Weaknesses | CWE-918 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: eclipse
Published: 2026-07-02T08:29:16.010Z
Updated: 2026-07-02T12:26:16.287Z
Reserved: 2026-07-01T12:59:37.189Z
Link: CVE-2026-14336
Updated: 2026-07-02T12:26:05.306Z
No data.
No data.