CVE-2020-26254: omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake t...

Description

omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later.

Metrics

CVSS 3.1

7.7/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

EPSS Probability

1.32%

67.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Omniauth-Apple Project	Omniauth-Apple	< 1.0.1

References

https://github.com/nhosoya/omniauth-apple/blob/master/CHANGELOG.md#101---2020-12-03Release Notes, Third Party Advisory
https://github.com/nhosoya/omniauth-apple/commit/b37d5409213adae2ca06a67fec14c8d3d07d9016Patch, Third Party Advisory
https://github.com/nhosoya/omniauth-apple/security/advisories/GHSA-49r3-2549-3633Exploit, Mitigation, Third Party Advisory
https://github.com/nhosoya/omniauth-apple/blob/master/CHANGELOG.md#101---2020-12-03Release Notes, Third Party Advisory
https://github.com/nhosoya/omniauth-apple/commit/b37d5409213adae2ca06a67fec14c8d3d07d9016Patch, Third Party Advisory
https://github.com/nhosoya/omniauth-apple/security/advisories/GHSA-49r3-2549-3633Exploit, Mitigation, Third Party Advisory

Timeline

Published: Dec 8, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-26254?

omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later.

How severe is CVE-2020-26254?

CVE-2020-26254 has a CVSS score of 7.7/10 (HIGH severity). The EPSS model estimates a 1.32% probability of exploitation in the next 30 days.

How do I fix CVE-2020-26254?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.