Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-56425

Gravedad CVSS v4.0:
CRÍTICA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
22/06/2026
Última modificación:
26/06/2026

Descripción

*** Pendiente de traducción *** The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol.<br /> <br /> <br /> The application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer headers, reverse proxies, access logs, or third-party infrastructure involved in the authentication flow. If obtained by an attacker, the leaked session identifier could potentially be used for session hijacking.<br /> <br /> <br /> Additionally, the implementation did not regenerate the session identifier after successful authentication, leaving authenticated sessions susceptible to session fixation attacks where an attacker forces a victim to use a known session identifier before login and later reuses that identifier after authentication.<br /> <br /> <br /> The OAuth state value was also not implemented as a dedicated, single-use nonce. This weakened CSRF protections and increased the risk of replay attacks against the OAuth callback process.<br /> <br /> <br /> The authentication flow further failed to enforce HTTPS for the configured OAuth redirect URI. If a non-HTTPS redirect URI was used, OAuth authorization codes and access tokens could traverse the network in plaintext, exposing sensitive credentials to network attackers.<br /> <br /> <br /> Finally, OAuth error responses containing attacker-controlled GET parameters were logged verbatim. An attacker could inject control characters or crafted log content, leading to log forging, log injection, or corruption of audit records.<br /> <br /> <br /> The fix introduces:<br /> <br /> <br /> <br /> * <br /> A dedicated cryptographically random OAuth state value.<br /> <br /> <br /> * <br /> Single-use state validation and invalidation.<br /> <br /> <br /> * <br /> Constant-time state comparison using hash_equals().<br /> <br /> <br /> * <br /> Session identifier rotation after successful authentication.<br /> <br /> <br /> * <br /> Enforcement of HTTPS-only redirect URIs.<br /> <br /> <br /> * <br /> Sanitized and length-limited logging of OAuth error parameters.<br /> <br /> <br /> AAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration)

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:* 2.5.42 (excluyendo)


Referencias a soluciones, herramientas e información