CVE-2026-27478

EPSS 0.02%
Veröffentlicht 11.03.2026 19:36:03
Zuletzt bearbeitet 16.03.2026 20:24:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from incoming JWTs and uses it to dynamically fetch the JWKS endpoint for signature validation without validating that the issuer is a trusted identity provider.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Unitycatalog ≫ Unitycatalog SwEditiondata Version <= 0.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.062

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-1390 Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

https://github.com/unitycatalog/unitycatalog/security/advisories/GHSA-qqcj-rghw-829x

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27478

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27478

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27478

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27478