Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Remote, low-complexity abuse needing an authenticated attacker-controlled IdP (PR:L); tenant boundary crossed (S:C) yielding victim-tenant account takeover (C:H/I:H), no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant should receive the final token, and the ACS finish logic in api/src/backend/api/v1/views.py recalculated the tenant from user.email instead of binding token issuance to the validated SAML configuration. An authenticated attacker with a controlled SAML IdP could complete a valid SAML flow for an attacker-controlled domain while asserting an email address from another configured domain, causing a SAMLToken and tenant-scoped JWT to be issued for the wrong tenant and enabling cross-tenant account takeover. This issue is fixed in version 5.30.3.
AnalysisAI
Cross-tenant account takeover in Prowler (cloud security platform) before 5.30.3 lets an authenticated attacker who operates a controlled SAML IdP obtain a tenant-scoped JWT for a victim tenant. The ACS finish logic in api/src/backend/api/v1/views.py derived the destination tenant from the user-asserted email domain rather than binding token issuance to the validated SAML configuration, so an attacker completing a legitimate SAML flow for their own domain while asserting a victim-domain email address receives a SAMLToken and JWT for the wrong tenant. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to control a SAML Identity Provider and have an attacker-controlled domain configured as a valid SAML tenant in the target Prowler deployment (the CVSS PR:L reflects this authenticated/low-privilege foothold). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high priority for anyone running the multi-tenant Prowler app with SAML enabled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can register or already holds a low-privilege SAML tenant stands up a SAML IdP for their own controlled domain, then initiates login and returns a validly signed SAMLResponse that asserts an email address belonging to a different, victim tenant's domain. Because the ACS finish logic derives the tenant from the asserted email rather than the verified SAML config, Prowler issues a SAMLToken and tenant-scoped JWT for the victim tenant, granting the attacker cross-tenant account takeover. … |
| Remediation | Upgrade to Prowler 5.30.3, which binds token issuance to the validated SAML configuration rather than recalculating the tenant from user.email; this is a vendor-released patch and the definitive fix (see the release at https://github.com/prowler-cloud/prowler/releases/tag/5.30.3, advisory GHSA-h8m9-jgf8-vwvp at https://github.com/prowler-cloud/prowler/security/advisories/GHSA-h8m9-jgf8-vwvp, PR https://github.com/prowler-cloud/prowler/pull/11650, and commits bf3b5c2ba713e533014927141b64948c82c8f32e and f5ff30ad175bd2edf02cd28872653c1cda5867b7). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit your Prowler deployment version and verify you are not running versions prior to 5.30.3. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42968