CVE-2026-14336: CWE-918 Server-Side request forgery (SSRF) in Eclipse Foundation Eclipse CSI - PIA
PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://[email protected] (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key.
AI Analysis
Technical Summary
Eclipse CSI - PIA's OIDC issuer allowlist uses a bare string prefix check (issuer.startswith('https://ci.eclipse.org')) instead of validating the issuer as a host-bounded URL. This allows attackers to craft issuer strings such as 'https://[email protected]' or 'https://ci.eclipse.org.evil.host' that pass the prefix check but redirect OIDC discovery and JWKS fetches to attacker-controlled servers. An unauthenticated caller of the POST /v1/upload/sbom endpoint can exploit this to make PIA perform outbound HTTP(S) requests to arbitrary hosts and have oidc.verify_token accept JWTs signed with the attacker's key. This constitutes a server-side request forgery (CWE-918) vulnerability with potential for token forgery and unauthorized access.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to make the affected system perform arbitrary outbound HTTP(S) requests to attacker-controlled servers. This can lead to unauthorized acceptance of JWT tokens signed by the attacker, potentially allowing privilege escalation or unauthorized access within the system. The vulnerability does not impact availability but has low confidentiality impact and high integrity impact as per the CVSS vector.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid exposing the POST /v1/upload/sbom endpoint to untrusted users or networks. Review and improve OIDC issuer validation logic to ensure proper host-bounded URL checks rather than simple string prefix matching.
CVE-2026-14336: CWE-918 Server-Side request forgery (SSRF) in Eclipse Foundation Eclipse CSI - PIA
Description
PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://[email protected] (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key.
CVSS v3.1
Score 8.2high
Affected software
pkg:github/Eclipse CSI - PIARun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Eclipse CSI - PIA's OIDC issuer allowlist uses a bare string prefix check (issuer.startswith('https://ci.eclipse.org')) instead of validating the issuer as a host-bounded URL. This allows attackers to craft issuer strings such as 'https://[email protected]' or 'https://ci.eclipse.org.evil.host' that pass the prefix check but redirect OIDC discovery and JWKS fetches to attacker-controlled servers. An unauthenticated caller of the POST /v1/upload/sbom endpoint can exploit this to make PIA perform outbound HTTP(S) requests to arbitrary hosts and have oidc.verify_token accept JWTs signed with the attacker's key. This constitutes a server-side request forgery (CWE-918) vulnerability with potential for token forgery and unauthorized access.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to make the affected system perform arbitrary outbound HTTP(S) requests to attacker-controlled servers. This can lead to unauthorized acceptance of JWT tokens signed by the attacker, potentially allowing privilege escalation or unauthorized access within the system. The vulnerability does not impact availability but has low confidentiality impact and high integrity impact as per the CVSS vector.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid exposing the POST /v1/upload/sbom endpoint to untrusted users or networks. Review and improve OIDC issuer validation logic to ensure proper host-bounded URL checks rather than simple string prefix matching.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- eclipse
- Date Reserved
- 2026-07-01T12:59:37.189Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4634ad27e9c79719a6e40f
Added to database: 07/02/2026, 09:51:41 UTC
Last enriched: 07/02/2026, 10:06:38 UTC
Last updated: 07/03/2026, 00:04:53 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.