PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://ci.eclipse.org@evil.host (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key.
History

Wed, 08 Jul 2026 07:15:00 +0000

Type Values Removed Values Added
Title PIA OIDC Issuer Allowlist Prefix Validation Error Allowing Unauthorized Outbound Requests

Tue, 07 Jul 2026 14:00:00 +0000

Type Values Removed Values Added
Title PIA OIDC Issuer Allowlist Prefix Validation Error Allowing Unauthorized Outbound Requests

Tue, 07 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
Title OIDC Issuer Allowlist Validation Flaw in Eclipse PIA Enables Authentication Bypass and Outbound Requests

Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse eclipse Pia
Vendors & Products Eclipse
Eclipse eclipse Pia

Mon, 06 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Title OIDC Issuer Allowlist Validation Flaw in Eclipse PIA Enables Authentication Bypass and Outbound Requests

Sat, 04 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
Title OIDC Issuer Allowlist Bypass Leading to Arbitrary Outbound Requests

Sat, 04 Jul 2026 05:45:00 +0000

Type Values Removed Values Added
Title OIDC Issuer Allowlist Bypass Leading to Arbitrary Outbound Requests

Sat, 04 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 03 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Title Unvalidated OIDC Issuer Allowlist Enables Forced External Requests and Unauthorized Token Acceptance

Fri, 03 Jul 2026 14:15:00 +0000

Type Values Removed Values Added
Title Unvalidated OIDC Issuer Allowlist Enables Forced External Requests and Unauthorized Token Acceptance

Fri, 03 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Unvalidated OIDC Issuer Prefix Check Exploit

Thu, 02 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Title Unvalidated OIDC Issuer Prefix Check Exploit

Thu, 02 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
Description PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://ci.eclipse.org@evil.host (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key.
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2026-07-02T08:29:16.010Z

Updated: 2026-07-02T12:26:16.287Z

Reserved: 2026-07-01T12:59:37.189Z

Link: CVE-2026-14336

cve-icon Vulnrichment

Updated: 2026-07-02T12:26:05.306Z

cve-icon NVD

No data.

cve-icon Redhat

No data.