PT-2026-58071 · Unknown · Ueberauth Apple

0Xrensec

+1

·

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-55954

CVSS v4.0

9.1

Critical

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions ueberauth ueberauth apple versions 0.1.0 through 0.6.1
Description An authentication bypass by spoofing allows account takeover due to unvalidated ID token claims. The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id token against Apple's JWKS but fails to validate registered claims. The iss, aud, exp, and iat claims are read and passed to Ueberauth.Strategy.Apple.handle callback!/1, which derives the user's uid and email directly from the unvalidated sub claim. An attacker possessing any Apple-signed ID token containing the victim's sub can replay it to authenticate as the victim. The lack of an exp (expiration) check allows stolen tokens to be used indefinitely, and the missing aud (audience) check enables account takeover across different clients within the same Apple developer team.
Recommendations Update ueberauth ueberauth apple to version 0.6.2 or later.

Exploit

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55954

Affected Products

Ueberauth Apple