PT-2026-48850 · Unknown · Abstractoauthdataprovider
Published
2026-06-12
·
Updated
2026-06-12
·
CVE-2026-50631
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
AbstractOAuthDataProvider versions prior to 4.2.2
AbstractOAuthDataProvider versions prior to 4.1.7
Description
A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens when the
recycleRefreshTokens variable is set to false. This allows a leaked refresh token to be replayed concurrently by multiple threads or attackers.Recommendations
Upgrade to version 4.2.2.
Upgrade to version 4.1.7.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Abstractoauthdataprovider