EEF-CVE-2026-55954

Source
https://cna.erlef.org/osv/EEF-CVE-2026-55954.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2026-55954.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2026-55954
Aliases
Published
2026-07-14T15:08:26.051Z
Modified
2026-07-15T04:14:10.603Z
Severity
  • 9.1 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Missing ID token claim validation in ueberauth_apple allows account takeover
Details

Summary

Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.

The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim.

An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.

This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.

Database specific
{
    "cpe_ids": [
        "cpe:2.3:a:ueberauth:ueberauth_apple:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-290"
    ],
    "capec_ids": [
        "CAPEC-60"
    ]
}
References
Credits
    • 0xRenSec - FINDER
    • AJ Foster - REMEDIATION_DEVELOPER
    • Jonatan Männchen / EEF - ANALYST

Affected packages

Hex / ueberauth_apple

Package

Name
ueberauth_apple
Purl
pkg:hex/ueberauth_apple

Affected ranges

Type
SEMVER
Events
Introduced
0.1.0
Fixed
0.6.2

Affected versions

0.*
0.1.0
0.2.0
0.3.0
0.4.0
0.6.0
0.6.1

Database specific

source
"https://cna.erlef.org/osv/EEF-CVE-2026-55954.json"

Git / github.com/ueberauth/ueberauth_apple

Affected ranges

Type
GIT
Repo
https://github.com/ueberauth/ueberauth_apple
Events

Affected versions

0.*
0.6.0
0.6.0-rc.0
0.6.1

Database specific

source
"https://cna.erlef.org/osv/EEF-CVE-2026-55954.json"