Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 397ed884cba1 · 2026-04-14T22:32:38.000Z
GHSA-5hvv-m4w4-gf6v GHSA-7mqr-33rv-p3mp GHSA-f24x-5g9q-753f GHSA-g6v3-wv4j-x9hg GHSA-gcqv-f29m-67gr GHSA-hc8w-h2mf-hp59
diff --git a/advisories/github-reviewed/2026/04/GHSA-5hvv-m4w4-gf6v/GHSA-5hvv-m4w4-gf6v.json b/advisories/github-reviewed/2026/04/GHSA-5hvv-m4w4-gf6v/GHSA-5hvv-m4w4-gf6v.json
@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5hvv-m4w4-gf6v",
+  "modified": "2026-04-14T22:31:19Z",
+  "published": "2026-04-14T22:31:19Z",
+  "aliases": [
+    "CVE-2026-34457"
+  ],
+  "summary": " OAuth2 Proxy's Health Check User-Agent Matching Bypasses Authentication in auth_request Mode",
+  "details": "### Impact\nA configuration-dependent authentication bypass exists in OAuth2 Proxy.\n\nDeployments are affected when all of the following are true:\n\n- OAuth2 Proxy is used with an `auth_request`-style integration   (for example, nginx `auth_request`)\n- `--ping-user-agent` is set or `--gcp-healthchecks` is enabled\n\nIn affected configurations, OAuth2 Proxy will treat a request with the configured health check `User-Agent` value as a successful health check regardless of the requested path. This allows an unauthenticated remote attacker to bypass authentication and access protected upstream resources without completing the normal login flow.\n\nThis issue does not affect deployments that do not use `auth_request`-style subrequests, or that do not enable  `--ping-user-agent`/`--gcp-healthchecks`.\n\n### Patches\nUsers should upgrade to `v7.15.2` or later once available. Deployments running versions prior to `v7.15.2` should be considered affected if they use `auth_request`-style authentication together with `--ping-user-agent` or  `--gcp-healthchecks`.\n\n### Workarounds\nUsers can mitigate this issue by:\n\n- disabling `--gcp-healthchecks`\n- removing any configured `--ping-user-agent`\n- ensuring the reverse proxy does not forward client-controlled `User-Agent`  headers to the OAuth2 Proxy auth subrequest\n- using path-based health checks only, on dedicated health check endpoints\n\nExample nginx mitigation for the auth subrequest:\n\n```nginx\nlocation = /oauth2/auth {\n    internal;\n    proxy_pass http://127.0.0.1:4180;\n    proxy_pass_request_body off;\n    proxy_set_header Content-Length \"\";\n    proxy_set_header Host $host;\n    # set to value that isn't the same as your configured PingUserAgent or GCPs \"GoogleHC/1.0\"\n    proxy_set_header User-Agent \"oauth2-proxy-auth-request\";\n}\n```",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/oauth2-proxy/oauth2-proxy/v7"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "7.15.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/oauth2-proxy/oauth2-proxy"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "3.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/oauth2-proxy/oauth2-proxy"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-290"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T22:31:19Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-7mqr-33rv-p3mp/GHSA-7mqr-33rv-p3mp.json b/advisories/github-reviewed/2026/04/GHSA-7mqr-33rv-p3mp/GHSA-7mqr-33rv-p3mp.json
diff --git a/advisories/github-reviewed/2026/04/GHSA-f24x-5g9q-753f/GHSA-f24x-5g9q-753f.json b/advisories/github-reviewed/2026/04/GHSA-f24x-5g9q-753f/GHSA-f24x-5g9q-753f.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f24x-5g9q-753f",
+  "modified": "2026-04-14T22:31:03Z",
+  "published": "2026-04-14T22:31:03Z",
+  "aliases": [
+    "CVE-2026-34454"
+  ],
+  "summary": "OAuth2 Proxy's session cookies are not cleared when rendering sign-in page",
+  "details": "### Impact\nA regression introduced in [v7.11.0](https://github.com/oauth2-proxy/oauth2-proxy/pull/2605) is preventing OAuth2 Proxy from clearing the session cookie when rendering the sign-in page.\n\nThis only impacts deployments that rely on the sign-in page as part of their logout flow. In those setups, a user may be shown the sign-in page while the existing session cookie remains valid, so the browser session is not actually logged out. On shared workstations be it browsers or devices, a subsequent  user could continue to use the previous user's authenticated session.\n\nDeployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected.\n\n### Patches\nThis issue is fixed in v7.15.2.\n\n### Workarounds\nDo not rely on the sign-in page to clear an existing session. Instead:\n\n- Use the dedicated logout/sign-out endpoint of OAuth2 Proxy\n- Ensure your application logout flow explicitly clears the OAuth2 Proxy   session cookie before redirecting users to the sign-in page\n- If needed, clear the session cookie at the reverse proxy or application   layer as a temporary mitigation",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/oauth2-proxy/oauth2-proxy/v7"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.11.0"
+            },
+            {
+              "fixed": "7.15.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/oauth2-proxy/oauth2-proxy/pull/2605"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/oauth2-proxy/oauth2-proxy"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-384",
+      "CWE-613"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T22:31:03Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-g6v3-wv4j-x9hg/GHSA-g6v3-wv4j-x9hg.json b/advisories/github-reviewed/2026/04/GHSA-g6v3-wv4j-x9hg/GHSA-g6v3-wv4j-x9hg.json
@@ -0,0 +1,87 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g6v3-wv4j-x9hg",
+  "modified": "2026-04-14T22:29:41Z",
+  "published": "2026-04-14T22:29:41Z",
+  "aliases": [
+    "CVE-2026-25125"
+  ],
+  "summary": "October Rain has Environment Variable Exfiltration via INI Parser Interpolation",
+  "details": "A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's `parse_ini_string()` function supports `${}` syntax for environment variable interpolation. Attackers with Editor access could inject `${APP_KEY}`, `${DB_PASSWORD}`, or similar patterns into CMS page settings fields, causing sensitive environment variables to be resolved and stored in the template. These values were then returned to the attacker when the page was reopened.\n\n### Impact\n- Exfiltration of sensitive environment variables (APP_KEY, DB credentials, AWS keys, etc.)\n- Could enable further attacks: database access, cookie forgery, AWS resource access\n- Requires authenticated backend access with Editor permissions\n- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Restrict Editor tool access to fully trusted administrators only\n- Ensure database and cloud service credentials are not accessible from the web server's network\n\n### References\n- Reported by Proactive Testing Team (PTT)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "october/rain"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.1.10"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.1.9"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "october/rain"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.7.14"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.7.13"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25125"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/octobercms/october"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200",
+      "CWE-94"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T22:29:41Z",
+    "nvd_published_at": "2026-04-14T21:16:25Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-gcqv-f29m-67gr/GHSA-gcqv-f29m-67gr.json b/advisories/github-reviewed/2026/04/GHSA-gcqv-f29m-67gr/GHSA-gcqv-f29m-67gr.json
@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gcqv-f29m-67gr",
+  "modified": "2026-04-14T22:29:50Z",
+  "published": "2026-04-14T22:29:50Z",
+  "aliases": [
+    "CVE-2026-25133"
+  ],
+  "summary": "October Rain has Stored XSS via SVG Filter Bypass",
+  "details": "A stored cross-site scripting (XSS) vulnerability was identified in the SVG sanitization logic. The regex pattern used to strip `on*` event handler attributes could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries.\n\n### Impact\n- Stored XSS via malicious SVG files uploaded through the Media Manager\n- Could allow privilege escalation if a superuser views or embeds the malicious SVG\n- Requires authenticated backend access with media upload permissions (`media.library.create`)\n- SVG must be viewed or embedded in a page to trigger\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Disable SVG uploads by adding `svg` to the blocked extensions in media configuration\n- Set `media.clean_vectors` to `true` in configuration (enabled by default)\n\n### References\n- Reported by Offensive Security Research Team",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "october/rain"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.1.10"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.1.9"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "october/rain"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.7.14"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.7.13"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25133"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/octobercms/october"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T22:29:50Z",
+    "nvd_published_at": "2026-04-14T21:16:25Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-hc8w-h2mf-hp59/GHSA-hc8w-h2mf-hp59.json b/advisories/github-reviewed/2026/04/GHSA-hc8w-h2mf-hp59/GHSA-hc8w-h2mf-hp59.json
