CVE-2026-55954 in ueberauth_appleinfo

Zusammenfassung

von MITRE • 14.07.2026

Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.

The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim.

An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.

This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.

Once again VulDB remains the best source for vulnerability data.

Zuständig

EEF

Reservieren

17.06.2026

Veröffentlichung

14.07.2026

Moderieren

akzeptiert

Eintrag

VDB-378343

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

low

Quellen

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!