CVE-2026-59151: CWE-287: Improper Authentication in prowler-cloud prowler
CVE-2026-59151 is a critical improper authentication vulnerability in prowler versions prior to 5.30.3. The flaw involves trusting the email domain asserted in a SAMLResponse during authentication, leading to incorrect tenant token issuance. An attacker controlling a SAML Identity Provider (IdP) can exploit this to obtain tenant-scoped tokens for tenants they do not belong to, enabling cross-tenant account takeover. This issue is fixed in prowler version 5.30.3.
AI Analysis
Technical Summary
Prowler's SAML authentication flow prior to version 5.30.3 trusted the email domain asserted in the SAMLResponse to determine the tenant for token issuance. However, the ACS finish logic recalculated the tenant from user.email rather than binding token issuance strictly to the validated SAML configuration. This discrepancy allowed an authenticated attacker with control over a SAML IdP to complete a valid SAML flow for an attacker-controlled domain while asserting an email from another configured domain. Consequently, the attacker could receive a SAMLToken and tenant-scoped JWT for the wrong tenant, enabling cross-tenant account takeover. The vulnerability is identified as CWE-287 (Improper Authentication) and has a CVSS 3.1 score of 9.6 (critical). The issue is resolved in prowler version 5.30.3.
Potential Impact
Successful exploitation allows an attacker with a controlled SAML IdP to impersonate users from other tenants by obtaining tenant-scoped tokens incorrectly issued for those tenants. This leads to cross-tenant account takeover, compromising confidentiality and integrity of tenant data. The vulnerability does not affect availability. The CVSS score of 9.6 reflects the high impact on confidentiality and integrity with network attack vector and low attack complexity.
Mitigation Recommendations
Upgrade prowler to version 5.30.3 or later, where this vulnerability is fixed. The fix ensures that token issuance is properly bound to the validated SAML configuration, preventing cross-tenant token issuance. No other mitigations are indicated. Patch status is confirmed by the vendor advisory stating the issue is fixed in 5.30.3.
CVE-2026-59151: CWE-287: Improper Authentication in prowler-cloud prowler
Description
CVE-2026-59151 is a critical improper authentication vulnerability in prowler versions prior to 5.30.3. The flaw involves trusting the email domain asserted in a SAMLResponse during authentication, leading to incorrect tenant token issuance. An attacker controlling a SAML Identity Provider (IdP) can exploit this to obtain tenant-scoped tokens for tenants they do not belong to, enabling cross-tenant account takeover. This issue is fixed in prowler version 5.30.3.
CVSS v3.1
Score 9.6critical
Affected software
pkg:github/prowler-cloud/prowlerRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Prowler's SAML authentication flow prior to version 5.30.3 trusted the email domain asserted in the SAMLResponse to determine the tenant for token issuance. However, the ACS finish logic recalculated the tenant from user.email rather than binding token issuance strictly to the validated SAML configuration. This discrepancy allowed an authenticated attacker with control over a SAML IdP to complete a valid SAML flow for an attacker-controlled domain while asserting an email from another configured domain. Consequently, the attacker could receive a SAMLToken and tenant-scoped JWT for the wrong tenant, enabling cross-tenant account takeover. The vulnerability is identified as CWE-287 (Improper Authentication) and has a CVSS 3.1 score of 9.6 (critical). The issue is resolved in prowler version 5.30.3.
Potential Impact
Successful exploitation allows an attacker with a controlled SAML IdP to impersonate users from other tenants by obtaining tenant-scoped tokens incorrectly issued for those tenants. This leads to cross-tenant account takeover, compromising confidentiality and integrity of tenant data. The vulnerability does not affect availability. The CVSS score of 9.6 reflects the high impact on confidentiality and integrity with network attack vector and low attack complexity.
Mitigation Recommendations
Upgrade prowler to version 5.30.3 or later, where this vulnerability is fixed. The fix ensures that token issuance is properly bound to the validated SAML configuration, preventing cross-tenant token issuance. No other mitigations are indicated. Patch status is confirmed by the vendor advisory stating the issue is fixed in 5.30.3.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-07-02T16:50:27.886Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a513aee68715ace43ff0a8a
Added to database: 07/10/2026, 18:33:18 UTC
Last enriched: 07/10/2026, 18:47:45 UTC
Last updated: 07/10/2026, 19:21:19 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.