Skip to main content

Sast CVE-2026-24069

| EUVDEUVD-2026-22245 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-14 SEC-VLab
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

7
Patch released
Apr 17, 2026 - 15:24 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
2.8.2509.4
Analysis Generated
Apr 14, 2026 - 16:22 vuln.today
CVSS changed
Apr 14, 2026 - 16:22 NVD
5.4 (MEDIUM)
EUVD ID Assigned
Apr 14, 2026 - 12:00 euvd
EUVD-2026-22245
Analysis Generated
Apr 14, 2026 - 12:00 vuln.today
CVE Published
Apr 14, 2026 - 11:26 nvd
MEDIUM 5.4

DescriptionCVE.org

Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.

AnalysisAI

Kiuwan SAST fails to properly enforce SSO login authorization for locally disabled user accounts, permitting disabled users to maintain application access through single sign-on mechanisms. This affects Kiuwan Cloud and Kiuwan SAST on-premise (KOP) versions prior to 2.8.2509.4, enabling authenticated attackers with prior credentials to bypass account disablement controls. An attacker whose account has been disabled by administrators can re-authenticate via SSO and regain unauthorized access to the system.

Technical ContextAI

The vulnerability stems from an authorization flaw (CWE-863: Improper Authorization) in Kiuwan SAST's SSO integration layer. When a user account is marked as disabled in Kiuwan's local user management system, the SSO authentication mechanism fails to validate this disabled status during login processing. This creates a mismatch between the local access control policy (account disabled) and the SSO token validation logic, allowing the SSO provider to successfully authenticate the user without checking the local disable flag. The issue affects both the cloud-hosted variant (Kiuwan Cloud) and on-premise deployments (KOP), indicating the flaw exists in the core SAST application logic rather than deployment-specific configurations.

RemediationAI

Upgrade Kiuwan SAST on-premise (KOP) to version 2.8.2509.4 or later immediately. Kiuwan Cloud users should verify that their instance has been patched by Kiuwan's cloud operations team; contact Kiuwan support if upgrade status is uncertain. As an interim compensating control pending patch deployment, disable SSO authentication temporarily and enforce login via local credentials only, allowing administrators to validate account disable settings through the native authentication mechanism. Additionally, audit SSO provider logs to identify any logins by disabled accounts since the last access control change, and revoke any active SSO tokens for disabled users. Consult the vendor advisory at https://r.sec-consult.com/kiuwanlock and https://nvd.nist.gov/vuln/detail/CVE-2026-24069 for deployment-specific patching instructions.

Share

CVE-2026-24069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy