CVE-2026-14336
Last modified
CVE-2026-14336 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://ci.eclipse.org@evil.host (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. EPSS estimates a 0.32% chance of exploitation in the next 30 days.
Description
PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://ci.eclipse.org@evil.host (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| Eclipse Foundation | Eclipse CSI - PIA | <= 0.3.0 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14336?
How severe is CVE-2026-14336?
How do I fix CVE-2026-14336?
Related CVEs from 2026
- CVE-2026-1431The Booking Calendar plugin for WordPress is vulnerable to u…5.3
- CVE-2026-1432SQL injection vulnerability in the Buroweb platform version …9.3
- CVE-2026-14324RAOP module accepts unbounded Content-Length values and does…6.5
- CVE-2026-14327The AR for WordPress plugin for WordPress is vulnerable to D…7.5
- CVE-2026-1433uniFLOW Universal Login Manager (ULM) Standalone contains an…4.8
- CVE-2026-14330Multiple unbounded alloca() calls in the PulseAudio protocol…5.5
- CVE-2026-1434Omega-PSIR is vulnerable to Reflected XSS via the lang param…6.1
- CVE-2026-14340An incorrect authorization vulnerability was identified in G…5
- CVE-2026-14342The Mail Mint – Email Marketing, Newsletter, Email Automatio…4.9
- CVE-2026-14343The Download Manager plugin for WordPress is vulnerable to S…6.4
- CVE-2026-14345The WPFunnels – Funnel Builder for WooCommerce with Checkout…9.8
- CVE-2026-1435Not properly invalidated session vulnerability in Graylog We…9.8
Are you affected by CVE-2026-14336?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
