{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22734", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:41.498Z", "datePublished": "2026-04-16T23:33:43.596Z", "dateUpdated": "2026-04-16T23:33:43.596Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-16T23:33:43.596Z"}, "title": "Cloud Foundry UAA SAML 2.0 Signature Bypass", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-290", "description": "CWE-290 Authentication bypass by spoofing", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-646", "descriptions": [{"lang": "en", "value": "CAPEC-646 Peripheral Footprinting"}]}], "affected": [{"vendor": "Cloud Foundry", "product": "UUA", "versions": [{"status": "affected", "version": "v77.21.0", "lessThanOrEqual": "v78.8.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Cloud Foundry UUA is\u00a0vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted.\u00a0This issue affects UUA\u00a0from v77.30.0 to v78.7.0 (inclusive)\u00a0and it affects\u00a0CF Deployment\u00a0from v48.7.0 to v54.14.0 (inclusive).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Cloud Foundry UUA is<span>&nbsp;vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted.&nbsp;</span><span>This issue affects UUA</span><span>&nbsp;from v77.30.0 to v78.7.0 (inclusive)&nbsp;</span><span>and it affects&nbsp;</span><span>CF Deployment&nbsp;</span><span>from v48.7.0 to v54.14.0 (inclusive).</span>"}]}], "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml-2-0-signature-bypass/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cloud Foundry UUA is\u00a0vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted.\u00a0This issue affects UUA\u00a0from v77.30.0 to v78.7.0 (inclusive)\u00a0and it affects\u00a0CF Deployment\u00a0from v48.7.0 to v54.14.0 (inclusive)."}], "id": "CVE-2026-22734", "lastModified": "2026-04-17T01:17:37.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-17T01:17:37.107", "references": [{"source": "security@vmware.com", "url": "https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml-2-0-signature-bypass/"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T02:21:03.183715+00:00", "value": {"mitigation_remediation": ["Upgrade Cloud Foundry UAA to a version newer than v78.7.0 or apply the official patch that enforces signing and encryption of all SAML\u00a02.0 bearer assertions.", "Configure the UAA to disable SAML\u00a02.0 bearer assertions for any client that does not require them, or enforce strict verification of signature and encryption.", "Validate all incoming SAML assertions and reject any that are unsigned or unencrypted; enable assertion consumer service signing validation in the underlying SAML library.", "Monitor for abnormal token usage and audit logs to detect unauthorized access attempts."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized token acquisition and access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Cloud Foundry UAA versions from v77.30.0 through v78.7.0, inclusive, and also applies to CF Deployment releases from v48.7.0 to v54.14.0. Systems running any of these releases remain susceptible unless client configurations explicitly disable or enforce signing and encryption of bearer assertions.", "description_and_impact": "Cloud Foundry UAA is vulnerable to a bypass that permits an attacker to obtain a token for any user and gain access to UAA\u2011protected systems. The flaw exists because, when SAML\u00a02.0 bearer assertions are enabled, the UAA accepts assertions that are neither signed nor encrypted, violating the expected authentication guarantees. The result is full impersonation of any user, elevating the risk to confidentiality and integrity of all protected data.", "risk_and_exploitability": "The CVSS score of 8.6 indicates high severity. While the EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, the attack vector is inferred to be through crafted SAML\u00a02.0 bearer assertions sent to the UAA over the network, implying remote exploitation without local access. The flaw provides direct token acquisition, enabling unrestricted access to protected APIs and services."}}}}, "created": "2026-04-17T02:30:07.310622+00:00", "updated": "2026-04-17T02:30:07.310645+00:00", "vendors": []}