CVE-2026-56425
Gravedad CVSS v4.0:
CRÍTICA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
22/06/2026
Última modificación:
26/06/2026
Descripción
*** Pendiente de traducción *** The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol.<br />
<br />
<br />
The application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer headers, reverse proxies, access logs, or third-party infrastructure involved in the authentication flow. If obtained by an attacker, the leaked session identifier could potentially be used for session hijacking.<br />
<br />
<br />
Additionally, the implementation did not regenerate the session identifier after successful authentication, leaving authenticated sessions susceptible to session fixation attacks where an attacker forces a victim to use a known session identifier before login and later reuses that identifier after authentication.<br />
<br />
<br />
The OAuth state value was also not implemented as a dedicated, single-use nonce. This weakened CSRF protections and increased the risk of replay attacks against the OAuth callback process.<br />
<br />
<br />
The authentication flow further failed to enforce HTTPS for the configured OAuth redirect URI. If a non-HTTPS redirect URI was used, OAuth authorization codes and access tokens could traverse the network in plaintext, exposing sensitive credentials to network attackers.<br />
<br />
<br />
Finally, OAuth error responses containing attacker-controlled GET parameters were logged verbatim. An attacker could inject control characters or crafted log content, leading to log forging, log injection, or corruption of audit records.<br />
<br />
<br />
The fix introduces:<br />
<br />
<br />
<br />
* <br />
A dedicated cryptographically random OAuth state value.<br />
<br />
<br />
* <br />
Single-use state validation and invalidation.<br />
<br />
<br />
* <br />
Constant-time state comparison using hash_equals().<br />
<br />
<br />
* <br />
Session identifier rotation after successful authentication.<br />
<br />
<br />
* <br />
Enforcement of HTTPS-only redirect URIs.<br />
<br />
<br />
* <br />
Sanitized and length-limited logging of OAuth error parameters.<br />
<br />
<br />
AAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration)
Impacto
Puntuación base 4.0
9.30
Gravedad 4.0
CRÍTICA
Puntuación base 3.x
8.80
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:* | 2.5.42 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



