Description
PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://ci.eclipse.org@evil.host (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key.
Published: 2026-07-02
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 07:15:00 +0000

Type Values Removed Values Added
Title PIA OIDC Issuer Allowlist Prefix Validation Error Allowing Unauthorized Outbound Requests

Tue, 07 Jul 2026 14:00:00 +0000

Type Values Removed Values Added
Title PIA OIDC Issuer Allowlist Prefix Validation Error Allowing Unauthorized Outbound Requests

Tue, 07 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
Title OIDC Issuer Allowlist Validation Flaw in Eclipse PIA Enables Authentication Bypass and Outbound Requests

Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse eclipse Pia
Vendors & Products Eclipse
Eclipse eclipse Pia

Mon, 06 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Title OIDC Issuer Allowlist Validation Flaw in Eclipse PIA Enables Authentication Bypass and Outbound Requests

Sat, 04 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
Title OIDC Issuer Allowlist Bypass Leading to Arbitrary Outbound Requests

Sat, 04 Jul 2026 05:45:00 +0000

Type Values Removed Values Added
Title OIDC Issuer Allowlist Bypass Leading to Arbitrary Outbound Requests

Sat, 04 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 03 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Title Unvalidated OIDC Issuer Allowlist Enables Forced External Requests and Unauthorized Token Acceptance

Fri, 03 Jul 2026 14:15:00 +0000

Type Values Removed Values Added
Title Unvalidated OIDC Issuer Allowlist Enables Forced External Requests and Unauthorized Token Acceptance

Fri, 03 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Unvalidated OIDC Issuer Prefix Check Exploit

Thu, 02 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Title Unvalidated OIDC Issuer Prefix Check Exploit

Thu, 02 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
Description PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://ci.eclipse.org@evil.host (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key.
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}


Subscriptions

Eclipse Eclipse Pia
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-07-02T12:26:16.287Z

Reserved: 2026-07-01T12:59:37.189Z

Link: CVE-2026-14336

cve-icon Vulnrichment

Updated: 2026-07-02T12:26:05.306Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T12:45:03Z

Weaknesses