PT-2026-58071 · Unknown · Ueberauth Apple
0Xrensec
+1
·
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-55954
CVSS v4.0
9.1
Critical
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
ueberauth ueberauth apple versions 0.1.0 through 0.6.1
Description
An authentication bypass by spoofing allows account takeover due to unvalidated ID token claims. The
Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id token against Apple's JWKS but fails to validate registered claims. The iss, aud, exp, and iat claims are read and passed to Ueberauth.Strategy.Apple.handle callback!/1, which derives the user's uid and email directly from the unvalidated sub claim. An attacker possessing any Apple-signed ID token containing the victim's sub can replay it to authenticate as the victim. The lack of an exp (expiration) check allows stolen tokens to be used indefinitely, and the missing aud (audience) check enables account takeover across different clients within the same Apple developer team.Recommendations
Update ueberauth ueberauth apple to version 0.6.2 or later.
Exploit
Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ueberauth Apple