🔐 CVE Alert

CVE-2026-55954

UNKNOWN 0.0

Missing ID token claim validation in ueberauth_apple allows account takeover

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims. The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim. An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team. This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.

CWE CWE-290
Vendor ueberauth
Product ueberauth_apple
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for ueberauth ueberauth_apple

Be the first to know when new unknown vulnerabilities affecting ueberauth ueberauth_apple are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ueberauth / ueberauth_apple
0.1.0 < 0.6.2
ueberauth / ueberauth_apple
3908a187d045c75994b62ce340c3aa26bb8976b8 < 01e2d9c9b3134e1b78633ad82d136d5ff4a61f28

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/ueberauth/ueberauth_apple/security/advisories/GHSA-pxx8-68pc-p9mr cna.erlef.org: https://cna.erlef.org/cves/CVE-2026-55954.html osv.dev: https://osv.dev/vulnerability/EEF-CVE-2026-55954 github.com: https://github.com/ueberauth/ueberauth_apple/commit/01e2d9c9b3134e1b78633ad82d136d5ff4a61f28

Credits

0xRenSec AJ Foster Jonatan Männchen / EEF