Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 08 Jul 2026 07:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | PIA OIDC Issuer Allowlist Prefix Validation Error Allowing Unauthorized Outbound Requests |
Tue, 07 Jul 2026 14:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | PIA OIDC Issuer Allowlist Prefix Validation Error Allowing Unauthorized Outbound Requests |
Tue, 07 Jul 2026 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OIDC Issuer Allowlist Validation Flaw in Eclipse PIA Enables Authentication Bypass and Outbound Requests |
Mon, 06 Jul 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Eclipse
Eclipse eclipse Pia |
|
| Vendors & Products |
Eclipse
Eclipse eclipse Pia |
Mon, 06 Jul 2026 02:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OIDC Issuer Allowlist Validation Flaw in Eclipse PIA Enables Authentication Bypass and Outbound Requests |
Sat, 04 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OIDC Issuer Allowlist Bypass Leading to Arbitrary Outbound Requests |
Sat, 04 Jul 2026 05:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | OIDC Issuer Allowlist Bypass Leading to Arbitrary Outbound Requests |
Sat, 04 Jul 2026 02:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 03 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unvalidated OIDC Issuer Allowlist Enables Forced External Requests and Unauthorized Token Acceptance |
Fri, 03 Jul 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unvalidated OIDC Issuer Allowlist Enables Forced External Requests and Unauthorized Token Acceptance |
Fri, 03 Jul 2026 04:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unvalidated OIDC Issuer Prefix Check Exploit |
Thu, 02 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unvalidated OIDC Issuer Prefix Check Exploit |
Thu, 02 Jul 2026 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://ci.eclipse.org@evil.host (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key. | |
| Weaknesses | CWE-918 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: eclipse
Published:
Updated: 2026-07-02T12:26:16.287Z
Reserved: 2026-07-01T12:59:37.189Z
Link: CVE-2026-14336
Updated: 2026-07-02T12:26:05.306Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T12:45:03Z