Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable unauthenticated replay, but AC:H because the attacker must first obtain a victim-scoped Apple-signed token; S:C as auth is broken across a sibling client, high C/I from account takeover, no availability impact.
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Authentication Bypass by Spoofing vulnerability in ueberauth ueberauth_apple allows account takeover via unvalidated ID token claims.
The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback id_token against Apple's JWKS but does not validate any registered claims. The iss, aud, exp, and iat claims are read from the token and passed on to Ueberauth.Strategy.Apple.handle_callback!/1, which derives the logged-in user's uid and email directly from the unvalidated sub claim.
An attacker who obtains any Apple-signed ID token bearing the victim's sub (via a captured expired token, or via an ID token issued to a sibling client in the same Apple developer team) can replay it against the vulnerable callback and be authenticated as the victim. The absent exp check makes stolen tokens usable indefinitely, and the absent aud check enables cross-application account takeover across clients that share an Apple developer team.
This issue affects ueberauth_apple: from 0.1.0 before 0.6.2.
AnalysisAI
Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to first possess a genuine Apple-signed id_token containing the victim's sub claim - obtained either as a captured/expired token for the victim or as a token Apple issued to a different (sibling) client within the same Apple developer team as the target. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N, base 9.1) captures the profile well: network-reachable, low complexity, no privileges or user interaction, high confidentiality and integrity impact from account takeover, no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker in the same Apple developer team obtains an id_token that Apple issued to a sibling Services ID for a victim who signed into that other app. Because the vulnerable callback ignores the aud and exp claims, the attacker POSTs this legitimately-signed token to the target application's Apple callback endpoint and is authenticated as the victim (matching sub), completing a cross-application account takeover. … |
| Remediation | Vendor-released patch: upgrade ueberauth_apple to 0.6.2 or later (update the dep to {:ueberauth_apple, "~> 0.6.2"} and run mix deps.update ueberauth_apple), which validates the iss, aud, exp, and iat claims after signature verification and fails closed when the expected client_id audience cannot be determined; the maintainers note client_id was already required so the fix should not break existing configurations. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and inventory all applications using ueberauth_apple versions 0.1.0 through 0.6.1, and flag these systems for emergency patching with security and engineering teams. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43706