Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-55954: CWE-290 Authentication Bypass by Spoofing in ueberauth ueberauth_apple

0
Critical
VulnerabilityCVE-2026-55954cvecve-2026-55954cwe-290
Published: 07/14/2026 (07/14/2026, 15:08:26 UTC)
Source: CVE Database V5
Vendor/Project: ueberauth
Product: ueberauth_apple

Description

Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims. The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim. An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team. This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.

CVSS v4.0

Score 9.1critical

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
High
Vuln. Availability
None
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected software

ueberauth_apple
pkg:hex/ueberauth_apple
Affected versions
>=0.1.0 <0.6.2
GitHub Actionsmore threats →cve
ueberauth/ueberauth_apple
pkg:github/ueberauth/ueberauth_apple
CPE configurations
cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 16:06:23 UTC

Technical Analysis

The ueberauth_apple library's function Ueberauth.Strategy.Apple.Token.payload/2 verifies the JWT signature of the callback id_token against Apple's JWKS but fails to validate critical registered claims (iss, aud, exp, iat). The unvalidated sub claim is used directly to derive the authenticated user's identity. An attacker with any Apple-signed ID token containing the victim's sub claim—such as a captured expired token or a token issued to a sibling client in the same Apple developer team—can replay this token to bypass authentication and assume the victim's identity. The absence of expiration and audience claim checks enables indefinite token reuse and cross-application account takeover, respectively. This affects ueberauth_apple versions from 0.1.0 before 0.6.2.

Potential Impact

Successful exploitation allows an attacker to bypass authentication and take over user accounts by replaying valid Apple-signed ID tokens without proper claim validation. This can lead to unauthorized access to user accounts across multiple applications within the same Apple developer team. The vulnerability is critical due to the high impact on confidentiality and integrity, with no user interaction required and low attack complexity.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using vulnerable versions of ueberauth_apple (versions 0.1.0 up to but not including 0.6.2). Implement additional validation of JWT registered claims (iss, aud, exp, iat) in the application logic to ensure tokens are valid and not expired. Monitor for updates from the ueberauth project regarding an official fix.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
EEF
Date Reserved
2026-06-17T17:55:15.686Z
Cvss Version
4.0
State
PUBLISHED
Remediation Level
null

Threat ID: 6a565a3b68715ace43c7b649

Added to database: 07/14/2026, 15:48:11 UTC

Last enriched: 07/14/2026, 16:06:23 UTC

Last updated: 07/14/2026, 18:38:13 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses