{"api_version":"1","generated_at":"2026-07-15T03:58:00+00:00","cve":"CVE-2026-55954","urls":{"html":"https://cve.report/CVE-2026-55954","api":"https://cve.report/api/cve/CVE-2026-55954.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-55954","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-55954"},"summary":{"title":"Missing ID token claim validation in ueberauth_apple allows account takeover","description":"Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.\n\nThe Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim.\n\nAn attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.\n\nThis issue affects ueberauth_apple: from 0.1.0 before 0.6.2.","state":"PUBLISHED","assigner":"EEF","published_at":"2026-07-14 16:17:01","updated_at":"2026-07-14 16:17:01"},"problem_types":["CWE-290","CWE-290 CWE-290 Authentication Bypass by Spoofing"],"metrics":[{"version":"4.0","source":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"9.1","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","data":{"attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":9.1,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH"}}],"references":[{"url":"https://cna.erlef.org/cves/CVE-2026-55954.html","name":"https://cna.erlef.org/cves/CVE-2026-55954.html","refsource":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://osv.dev/vulnerability/EEF-CVE-2026-55954","name":"https://osv.dev/vulnerability/EEF-CVE-2026-55954","refsource":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/ueberauth/ueberauth_apple/commit/01e2d9c9b3134e1b78633ad82d136d5ff4a61f28","name":"https://github.com/ueberauth/ueberauth_apple/commit/01e2d9c9b3134e1b78633ad82d136d5ff4a61f28","refsource":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr","name":"https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-55954","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55954","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"ueberauth","product":"ueberauth_apple","version":"affected 0.1.0 0.6.2 semver","platforms":[]},{"source":"CNA","vendor":"ueberauth","product":"ueberauth_apple","version":"affected 3908a187d045c75994b62ce340c3aa26bb8976b8 01e2d9c9b3134e1b78633ad82d136d5ff4a61f28 git","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"0xRenSec","lang":"en"},{"source":"CNA","value":"AJ Foster","lang":"en"},{"source":"CNA","value":"Jonatan Männchen / EEF","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-55954","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-07-14T15:56:35.178814Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-14T15:56:51.387Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://repo.hex.pm","cpes":["cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","modules":["'Elixir.Ueberauth.Strategy.Apple'","'Elixir.Ueberauth.Strategy.Apple.Token'"],"packageName":"ueberauth_apple","packageURL":"pkg:hex/ueberauth_apple","product":"ueberauth_apple","programFiles":["lib/ueberauth/strategy/apple.ex","lib/ueberauth/strategy/apple/token.ex"],"programRoutines":[{"name":"'Elixir.Ueberauth.Strategy.Apple':handle_callback!/1"},{"name":"'Elixir.Ueberauth.Strategy.Apple.Token':payload/2"}],"repo":"https://github.com/ueberauth/ueberauth_apple","vendor":"ueberauth","versions":[{"lessThan":"0.6.2","status":"affected","version":"0.1.0","versionType":"semver"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","modules":["'Elixir.Ueberauth.Strategy.Apple'","'Elixir.Ueberauth.Strategy.Apple.Token'"],"packageName":"ueberauth/ueberauth_apple","packageURL":"pkg:github/ueberauth/ueberauth_apple","product":"ueberauth_apple","programFiles":["lib/ueberauth/strategy/apple.ex","lib/ueberauth/strategy/apple/token.ex"],"programRoutines":[{"name":"'Elixir.Ueberauth.Strategy.Apple':handle_callback!/1"},{"name":"'Elixir.Ueberauth.Strategy.Apple.Token':payload/2"}],"repo":"https://github.com/ueberauth/ueberauth_apple","vendor":"ueberauth","versions":[{"lessThan":"01e2d9c9b3134e1b78633ad82d136d5ff4a61f28","status":"affected","version":"3908a187d045c75994b62ce340c3aa26bb8976b8","versionType":"git"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*","versionEndExcluding":"0.6.2","versionStartIncluding":"0.1.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"AND"}],"credits":[{"lang":"en","type":"finder","value":"0xRenSec"},{"lang":"en","type":"remediation developer","value":"AJ Foster"},{"lang":"en","type":"analyst","value":"Jonatan Männchen / EEF"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.<p>The <tt>Ueberauth.Strategy.Apple.Token.payload/2</tt> function verifies the JWT signature of the callback <tt>id_token</tt> against Apple's JWKS but does not validate any registered claims. The <tt>iss</tt>, <tt>aud</tt>, <tt>exp</tt>, and <tt>iat</tt> claims are read from the token and passed on to <tt>Ueberauth.Strategy.Apple.handle_callback!/1</tt>, which derives the logged-in user's <tt>uid</tt> and <tt>email</tt> directly from the unvalidated <tt>sub</tt> claim.</p><p>An attacker who obtains any Apple-signed ID token bearing the victim's <tt>sub</tt> (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent <tt>exp</tt> check makes stolen tokens usable indefinitely, and the absent <tt>aud</tt> check enables cross-application account takeover across clients that share an Apple developer team.</p><p>This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.</p>"}],"value":"Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.\n\nThe Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim.\n\nAn attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.\n\nThis issue affects ueberauth_apple: from 0.1.0 before 0.6.2."}],"impacts":[{"capecId":"CAPEC-60","descriptions":[{"lang":"en","value":"CAPEC-60 Reusing Session IDs (aka Session Replay)"}]}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":9.1,"baseSeverity":"CRITICAL","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-290","description":"CWE-290 Authentication Bypass by Spoofing","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-14T15:08:26.051Z","orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-55954.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-55954"},{"tags":["patch"],"url":"https://github.com/ueberauth/ueberauth_apple/commit/01e2d9c9b3134e1b78633ad82d136d5ff4a61f28"}],"source":{"discovery":"EXTERNAL"},"title":"Missing ID token claim validation in ueberauth_apple allows account takeover","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","assignerShortName":"EEF","cveId":"CVE-2026-55954","datePublished":"2026-07-14T15:08:26.051Z","dateReserved":"2026-06-17T17:55:15.686Z","dateUpdated":"2026-07-14T15:56:51.387Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-14 16:17:01","lastModifiedDate":"2026-07-14 16:17:01","problem_types":["CWE-290","CWE-290 CWE-290 Authentication Bypass by Spoofing"],"metrics":{"cvssMetricV40":[{"source":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-14T15:56:35.178814Z","id":"CVE-2026-55954","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"55954","Ordinal":"1","Title":"Missing ID token claim validation in ueberauth_apple allows acco","CVE":"CVE-2026-55954","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"55954","Ordinal":"1","NoteData":"Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.\n\nThe Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim.\n\nAn attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.\n\nThis issue affects ueberauth_apple: from 0.1.0 before 0.6.2.","Type":"Description","Title":"Missing ID token claim validation in ueberauth_apple allows acco"}]}}}