This page collects WhisperX intelligence signals tagged #oauth. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security alert has been raised for the widely used Doorkeeper OAuth 2.0 provider gem for Ruby on Rails. Version 5.8.2 of the `doorkeeper` gem contains five distinct vulnerabilities, with the highest severity rated at 7.5 on the CVSS scale. This exposure was identified within the dependency chain of the `inte...
A high-severity security vulnerability has been identified in a codebase handling Reddit API authentication. The flaw resides in a function that directly uses environment variables containing Reddit OAuth credentials to construct an HTTP Basic Authentication header without any input validation. This creates a direct pa...
一个被广泛使用的 OAuth 集成库 `oauthio-0.3.5.tgz` 被曝存在 8 个安全漏洞,其中最高严重性评分为 9.8 分(CRITICAL)。更关键的是,这些漏洞被标记为“不可达”(unreachable),意味着它们存在于项目的传递依赖中,无法通过直接升级主库来修复。这为依赖该库的应用程序留下了一个难以修补的严重攻击面。 漏洞详情显示,最严重的漏洞是 CVE-2021-3918,CVSS 评分为 9.8 分,影响传递依赖 `json-schema-0.2.3.tgz`。该漏洞的利用成熟度虽未定义,但 EPSS 评分为 1.3%,表明存在被利用的可能性。报告明确指出,对于此漏洞,修复方案为“N/A”(不适用),且“...
A critical security flaw has been automatically flagged in the Authlib Python library, exposing systems to information disclosure via a cryptographic padding oracle attack. The vulnerability, tracked as CVE-2026-28490 and rated HIGH severity, stems from the library's handling of the JSON Web Encryption (JWE) RSA1_5 key...
A critical OAuth implementation flaw has been identified where an authorization code is directly interpolated into a token exchange URL without proper URL encoding. This vulnerability, located in `src/asfquart/generics.py`, allows an authorization code containing URL-special characters (&, =, #, %) to malform the reque...
A critical security vulnerability has been identified where session tokens are being passed directly in URL parameters during an OAuth authentication flow. This flaw, classified as OWASP A02 and rated Critical, exposes sensitive credentials to browser history, server access logs, and HTTP Referer headers. The finding i...
A critical logic flaw in Cryptomator Hub's OAuth flow allows attackers to bypass a previous security fix and force a downgrade to plaintext HTTP, exposing user access tokens. The vulnerability, tracked as CVE-2026-33472, resides in the `CheckHostTrustController.getAuthority()` method of version 1.19.1. This method inco...
A critical security fix has been deployed across IBM's internal application codebase, addressing a vulnerability where unvalidated router query parameters could be exploited for CRLF injection and OAuth flow manipulation. The security team identified that the application accepted user input containing URL-encoded chara...
A significant security incident at Vercel has exposed a critical vulnerability for its customers. On April 19, 2026, Vercel disclosed that attackers accessed environment variables not explicitly marked as "sensitive" through a compromised third-party OAuth application. The breach originated from a Google Workspace inte...
Cloud platform Vercel has confirmed a breach of its internal systems, with attackers gaining entry through a compromised third-party AI tool. The incident exposed a 'limited subset' of customer data, specifically non-sensitive environment variables. Vercel maintains its core services are operational and that sensitive ...
A single employee's adoption of an AI tool, combined with a malware infection at the tool's vendor, created a direct, undetected pathway into Vercel's core production systems. The breach, confirmed by the cloud platform behind Next.js, originated not from a sophisticated zero-day but from an OAuth grant that had never ...
A critical security vulnerability has been identified in a widely used OAuth JWT library. The `verify()` method within the `JwtSigner.ts` file does not validate the `alg` (algorithm) field in the JWT header. This oversight creates a direct path for algorithm confusion attacks, a well-documented and high-severity exploi...
A security advisory has flagged a medium-severity vulnerability in the authentication layer of a connected device platform, where the Microsoft Authentication Library (MSAL) stores OAuth tokens in browser localStorage—a storage mechanism accessible to any JavaScript executing on the page. The flaw is embedded in the fr...
A high-severity open redirect vulnerability has been identified in the authentication callback handler of a web application using WorkOS. The flaw exists in the code responsible for redirecting users after a successful login, specifically in the route handling the OAuth flow callback. The vulnerability allows an attack...
A medium-severity vulnerability in the authlib Python library exposes applications to cross-site request forgery (CSRF) attacks when the cache feature is enabled in OAuth integration clients. The flaw, tracked as GHSA-jj8c-mmj3-mmgv, affects version 1.6.9 and has been patched in version 1.6.11. The vulnerability exist...
A security audit has identified a critical vulnerability in the platform's Instagram OAuth integration. The `getAuthUrl()` function in `lib/instagram.js` generates authorization URLs without a CSRF `state` parameter, while `app/api/instagram/callback/route.js` performs no state validation on the callback. This gap allo...
A critical open redirect vulnerability in the authentication callback and login page allows attackers to redirect users to phishing sites after successful OAuth login. Two endpoints accept a user-controlled redirect parameter and pass it directly to `NextResponse.redirect()` without validation, enabling silent redirect...
A systematic security failure is spreading across the AI client ecosystem. The majority of widely deployed AI tools—including Claude Code, Claude Desktop, Cursor, LibreChat, and Amazon Q CLI—are shipping without proper OAuth refresh-token flow implementations, forcing developers to fall back to long-lived access tokens...