PT-2026-35449 · Authd · Authd
Samikhan-De
·
Published
2026-04-27
·
Updated
2026-05-06
·
CVE-2026-6970
CVSS v4.0
7.3
High
| Vector | AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
authd versions prior to 0.6.4
Description
A logic error exists in the primary group ID assignment. When a user's primary group ID (GID) differs from their user ID (UID)—occurring if the account was created with versions prior to 0.5.4 or if the primary group was manually changed using the
authctl group set-gid command—and the identity provider record is updated, the system incorrectly resets the primary group ID to the UID during the next login. This results in newly created files and directories being assigned to the wrong group, which can lead to denial of service, unauthorized access to files by other local users, and local privilege escalation.Recommendations
Update to version 0.6.4 or later.
Fix
DoS
LPE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Authd