CVE-2026-55954 — Authentication Bypass by Spoofing vulnerability in...
CVE-2026-55954 漏洞深度分析
漏洞概述
CVE 编号: CVE-2026-55954
CVSS 评分: 9.1(CRITICAL)
CVSS 向量: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE 分类: CWE-290
漏洞状态: Received
发布时间: 2026-07-14T16:17:01.093
最后更新: 2026-07-14T16:17:01.093
漏洞描述
Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.
The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim.
An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.
This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.
影响分析
此漏洞的具体影响取决于实际利用场景。"
修复建议
- 及时关注厂商发布的安全更新和补丁
- 升级受影响组件到最新版本
- 如无法立即升级,参考厂商提供的临时缓解措施
- 加强网络访问控制和监控
参考链接
- https://cna.erlef.org/cves/CVE-2026-55954.html
- https://github.com/ueberauth/ueberauth_apple/commit/01e2d9c9b3134e1b78633ad82d136d5ff4a61f28
- https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr
- https://osv.dev/vulnerability/EEF-CVE-2026-55954
- https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr