Skip to main content

ueberauth_apple CVE-2026-55954

| EUVDEUVD-2026-43706 CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-07-14 EEF
9.1
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

Network-reachable unauthenticated replay, but AC:H because the attacker must first obtain a victim-scoped Apple-signed token; S:C as auth is broken across a sibling client, high C/I from account takeover, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 14, 2026 - 16:02 vuln.today
Analysis Generated
Jul 14, 2026 - 16:02 vuln.today
CVE Published
Jul 14, 2026 - 15:08 cve.org
CRITICAL 9.1

DescriptionCVE.org

Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.

The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim.

An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.

This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.

AnalysisAI

Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Apple-signed token with victim sub
Delivery
Replay id_token to vulnerable callback
Exploit
Signature verifies, claims unchecked
Execution
uid/email derived from spoofed sub
Impact
Authenticated as victim (account takeover)

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to first possess a genuine Apple-signed id_token containing the victim's sub claim - obtained either as a captured/expired token for the victim or as a token Apple issued to a different (sibling) client within the same Apple developer team as the target. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N, base 9.1) captures the profile well: network-reachable, low complexity, no privileges or user interaction, high confidentiality and integrity impact from account takeover, no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker in the same Apple developer team obtains an id_token that Apple issued to a sibling Services ID for a victim who signed into that other app. Because the vulnerable callback ignores the aud and exp claims, the attacker POSTs this legitimately-signed token to the target application's Apple callback endpoint and is authenticated as the victim (matching sub), completing a cross-application account takeover. …
Remediation Vendor-released patch: upgrade ueberauth_apple to 0.6.2 or later (update the dep to {:ueberauth_apple, "~> 0.6.2"} and run mix deps.update ueberauth_apple), which validates the iss, aud, exp, and iat claims after signature verification and fails closed when the expected client_id audience cannot be determined; the maintainers note client_id was already required so the fix should not break existing configurations. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and inventory all applications using ueberauth_apple versions 0.1.0 through 0.6.1, and flag these systems for emergency patching with security and engineering teams. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy