CVE-2026-55954: CWE-290 Authentication Bypass by Spoofing in ueberauth ueberauth_apple
Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims. The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim. An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team. This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.
AI Analysis
Technical Summary
The ueberauth_apple library's function Ueberauth.Strategy.Apple.Token.payload/2 verifies the JWT signature of the callback id_token against Apple's JWKS but fails to validate critical registered claims (iss, aud, exp, iat). The unvalidated sub claim is used directly to derive the authenticated user's identity. An attacker with any Apple-signed ID token containing the victim's sub claim—such as a captured expired token or a token issued to a sibling client in the same Apple developer team—can replay this token to bypass authentication and assume the victim's identity. The absence of expiration and audience claim checks enables indefinite token reuse and cross-application account takeover, respectively. This affects ueberauth_apple versions from 0.1.0 before 0.6.2.
Potential Impact
Successful exploitation allows an attacker to bypass authentication and take over user accounts by replaying valid Apple-signed ID tokens without proper claim validation. This can lead to unauthorized access to user accounts across multiple applications within the same Apple developer team. The vulnerability is critical due to the high impact on confidentiality and integrity, with no user interaction required and low attack complexity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using vulnerable versions of ueberauth_apple (versions 0.1.0 up to but not including 0.6.2). Implement additional validation of JWT registered claims (iss, aud, exp, iat) in the application logic to ensure tokens are valid and not expired. Monitor for updates from the ueberauth project regarding an official fix.
CVE-2026-55954: CWE-290 Authentication Bypass by Spoofing in ueberauth ueberauth_apple
Description
Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims. The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim. An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team. This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.
CVSS v4.0
Score 9.1critical
Affected software
cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ueberauth_apple library's function Ueberauth.Strategy.Apple.Token.payload/2 verifies the JWT signature of the callback id_token against Apple's JWKS but fails to validate critical registered claims (iss, aud, exp, iat). The unvalidated sub claim is used directly to derive the authenticated user's identity. An attacker with any Apple-signed ID token containing the victim's sub claim—such as a captured expired token or a token issued to a sibling client in the same Apple developer team—can replay this token to bypass authentication and assume the victim's identity. The absence of expiration and audience claim checks enables indefinite token reuse and cross-application account takeover, respectively. This affects ueberauth_apple versions from 0.1.0 before 0.6.2.
Potential Impact
Successful exploitation allows an attacker to bypass authentication and take over user accounts by replaying valid Apple-signed ID tokens without proper claim validation. This can lead to unauthorized access to user accounts across multiple applications within the same Apple developer team. The vulnerability is critical due to the high impact on confidentiality and integrity, with no user interaction required and low attack complexity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using vulnerable versions of ueberauth_apple (versions 0.1.0 up to but not including 0.6.2). Implement additional validation of JWT registered claims (iss, aud, exp, iat) in the application logic to ensure tokens are valid and not expired. Monitor for updates from the ueberauth project regarding an official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-06-17T17:55:15.686Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a565a3b68715ace43c7b649
Added to database: 07/14/2026, 15:48:11 UTC
Last enriched: 07/14/2026, 16:06:23 UTC
Last updated: 07/14/2026, 18:38:13 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.