What is the CVSS score of CVE-2024-1524?

CVE-2024-1524 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Api Manager are affected by CVE-2024-1524?

This vulnerability threatens organizations using federated identity management, where attackers could hijack local user accounts by exploiting the Silent Just-In-Time Provisioning feature.

How to fix or mitigate CVE-2024-1524?

Within 24 hours: Audit and document all federated identity providers with Silent Just-In-Time Provisioning enabled, and identify overlapping usernames between federated and local user stores. Within 7 days: Disable Silent Just-In-Time Provisioning across all affected systems or implement strict username conflict policies that prevent federated provisioning when local accounts exist. Within 30 days: Implement a comprehensive identity reconciliation strategy, enforce unique username standards across federated and local directories, and establish monitoring for suspicious account provisioning events.

Api Manager CVE-2024-1524

HIGH

Authentication Bypass by Spoofing (CWE-290)

2026-02-24 ed10eef1-636d-4fbe-9993-6890dfa878f8

Authentication Bypass Api Manager Identity Server

7.7

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.7 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 24, 2026 - 09:16 nvd

HIGH 7.7

DescriptionCVE.org

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users.

There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control.

The Deployment should have: -An IDP configured for federated authentication with Silent JIT provisioning enabled.

The malicious actor should have: -A fresh valid user account in the federated IDP that has not been used earlier. -Knowledge of the username of a valid user in the local IDP. -An account at the federated IDP matching the targeted local username.

AnalysisAI

Technical ContextAI

Classified as CWE-290 (Authentication Bypass by Spoofing). Affects Api Manager. When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2024-1524 vulnerability details – vuln.today

Back

Api Manager CVE-2024-1524

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code