Skip to main content

Prowler CVE-2026-59151

| EUVDEUVD-2026-42968 CRITICAL
Improper Authentication (CWE-287)
2026-07-10 GitHub_M
9.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
9.6 CRITICAL

Remote, low-complexity abuse needing an authenticated attacker-controlled IdP (PR:L); tenant boundary crossed (S:C) yielding victim-tenant account takeover (C:H/I:H), no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 19:01 EUVD
Analysis Generated
Jul 10, 2026 - 18:53 vuln.today

DescriptionCVE.org

Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant should receive the final token, and the ACS finish logic in api/src/backend/api/v1/views.py recalculated the tenant from user.email instead of binding token issuance to the validated SAML configuration. An authenticated attacker with a controlled SAML IdP could complete a valid SAML flow for an attacker-controlled domain while asserting an email address from another configured domain, causing a SAMLToken and tenant-scoped JWT to be issued for the wrong tenant and enabling cross-tenant account takeover. This issue is fixed in version 5.30.3.

AnalysisAI

Cross-tenant account takeover in Prowler (cloud security platform) before 5.30.3 lets an authenticated attacker who operates a controlled SAML IdP obtain a tenant-scoped JWT for a victim tenant. The ACS finish logic in api/src/backend/api/v1/views.py derived the destination tenant from the user-asserted email domain rather than binding token issuance to the validated SAML configuration, so an attacker completing a legitimate SAML flow for their own domain while asserting a victim-domain email address receives a SAMLToken and JWT for the wrong tenant. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Configure attacker-controlled SAML IdP and domain tenant
Delivery
Initiate SAML login to Prowler ACS
Exploit
Return signed SAMLResponse asserting victim-domain email
Execution
ACS derives wrong tenant from user.email
Persist
Issue SAMLToken and tenant-scoped JWT for victim tenant
Impact
Cross-tenant account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control a SAML Identity Provider and have an attacker-controlled domain configured as a valid SAML tenant in the target Prowler deployment (the CVSS PR:L reflects this authenticated/low-privilege foothold). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high priority for anyone running the multi-tenant Prowler app with SAML enabled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can register or already holds a low-privilege SAML tenant stands up a SAML IdP for their own controlled domain, then initiates login and returns a validly signed SAMLResponse that asserts an email address belonging to a different, victim tenant's domain. Because the ACS finish logic derives the tenant from the asserted email rather than the verified SAML config, Prowler issues a SAMLToken and tenant-scoped JWT for the victim tenant, granting the attacker cross-tenant account takeover. …
Remediation Upgrade to Prowler 5.30.3, which binds token issuance to the validated SAML configuration rather than recalculating the tenant from user.email; this is a vendor-released patch and the definitive fix (see the release at https://github.com/prowler-cloud/prowler/releases/tag/5.30.3, advisory GHSA-h8m9-jgf8-vwvp at https://github.com/prowler-cloud/prowler/security/advisories/GHSA-h8m9-jgf8-vwvp, PR https://github.com/prowler-cloud/prowler/pull/11650, and commits bf3b5c2ba713e533014927141b64948c82c8f32e and f5ff30ad175bd2edf02cd28872653c1cda5867b7). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit your Prowler deployment version and verify you are not running versions prior to 5.30.3. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy