Uua
CVE-2026-22734
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted. This issue affects UUA from v77.30.0 to v78.7.0 (inclusive) and it affects CF Deployment from v48.7.0 to v54.14.0 (inclusive).
AnalysisAI
Authentication bypass in Cloud Foundry UAA allows remote unauthenticated attackers to obtain access tokens for arbitrary users when SAML 2.0 bearer assertions are enabled, leading to unauthorized access to all UAA-protected systems. Affects UAA versions 77.30.0 through 78.7.0 and CF Deployment versions 48.7.0 through 54.14.0. The vulnerability stems from acceptance of unsigned and unencrypted SAML 2.0 assertions (CWE-290: Authentication Bypass by Spoofing), enabling complete authentication mechanism bypass with network access and low attack complexity (CVSS 8.6, AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, but the technical details disclosed in the vendor blog create high weaponization potential.
Technical ContextAI
Cloud Foundry User Account and Authentication (UAA) service provides OAuth 2.0 and OpenID Connect identity management for Cloud Foundry platforms. The vulnerability resides in the SAML 2.0 bearer assertion grant flow implementation (RFC 7522), which enables clients to exchange SAML assertions for OAuth access tokens. According to CWE-290 (Authentication Bypass by Spoofing), the UAA implementation fails to validate cryptographic signatures or encryption on incoming SAML 2.0 bearer assertions when this grant type is enabled for a client. SAML 2.0 specifications require assertions to be either signed by the Identity Provider or encrypted to prevent forgery and man-in-the-middle attacks. By accepting unsigned, unencrypted assertions, the UAA treats any well-formed XML assertion as legitimate, allowing attackers to craft arbitrary assertions claiming any user identity. The CPE string identifies the affected component as the UAA service (cpe:2.3:a:cloud_foundry:uua - note possible typo in CPE, should be 'uaa'), which serves as the central authentication and authorization broker for Cloud Foundry environments. The scope change (S:C) in the CVSS vector indicates this vulnerability allows attackers to access resources beyond the vulnerable UAA component itself, compromising all downstream services relying on UAA for authentication.
RemediationAI
Upgrade Cloud Foundry UAA to version 78.8.0 or later, which implements mandatory signature validation for SAML 2.0 bearer assertions. For Cloud Foundry Deployment users, upgrade to version 54.15.0 or later which includes the patched UAA component. Refer to the vendor advisory at https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml-2-0-signature-bypass/ for complete upgrade instructions and compatibility notes. If immediate patching is not feasible, implement the following compensating control: disable SAML 2.0 bearer assertion grant type for all OAuth clients by removing the 'urn:ietf:params:oauth:grant-type:saml2-bearer' grant type from client configurations in the UAA database or via the uaac CLI tool. This mitigation prevents exploitation but breaks SAML-based SSO workflows for affected clients, requiring alternative authentication mechanisms such as authorization code flow or password grants. Organizations should audit all OAuth client configurations to identify which clients use SAML bearer assertions before applying this workaround. Network-level controls such as restricting UAA endpoint access are insufficient because legitimate SAML assertions also arrive via network requests. The patch is the only complete remediation that maintains SAML functionality while preventing forgery.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today