Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
7DescriptionCVE.org
Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.
AnalysisAI
Kiuwan SAST fails to properly enforce SSO login authorization for locally disabled user accounts, permitting disabled users to maintain application access through single sign-on mechanisms. This affects Kiuwan Cloud and Kiuwan SAST on-premise (KOP) versions prior to 2.8.2509.4, enabling authenticated attackers with prior credentials to bypass account disablement controls. An attacker whose account has been disabled by administrators can re-authenticate via SSO and regain unauthorized access to the system.
Technical ContextAI
The vulnerability stems from an authorization flaw (CWE-863: Improper Authorization) in Kiuwan SAST's SSO integration layer. When a user account is marked as disabled in Kiuwan's local user management system, the SSO authentication mechanism fails to validate this disabled status during login processing. This creates a mismatch between the local access control policy (account disabled) and the SSO token validation logic, allowing the SSO provider to successfully authenticate the user without checking the local disable flag. The issue affects both the cloud-hosted variant (Kiuwan Cloud) and on-premise deployments (KOP), indicating the flaw exists in the core SAST application logic rather than deployment-specific configurations.
RemediationAI
Upgrade Kiuwan SAST on-premise (KOP) to version 2.8.2509.4 or later immediately. Kiuwan Cloud users should verify that their instance has been patched by Kiuwan's cloud operations team; contact Kiuwan support if upgrade status is uncertain. As an interim compensating control pending patch deployment, disable SSO authentication temporarily and enforce login via local credentials only, allowing administrators to validate account disable settings through the native authentication mechanism. Additionally, audit SSO provider logs to identify any logins by disabled accounts since the last access control change, and revoke any active SSO tokens for disabled users. Consult the vendor advisory at https://r.sec-consult.com/kiuwanlock and https://nvd.nist.gov/vuln/detail/CVE-2026-24069 for deployment-specific patching instructions.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22245