{"uuid": "90dc8b69-4ebe-4d5a-933f-bc928de98d45", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-27478", "type": "seen", "source": "https://gist.github.com/alon710/40ab7c8f3b92395e6ea4963afcd7e9fa", "content": "# CVE-2026-27478: CVE-2026-27478: Authentication Bypass via Dynamic JWKS Discovery in Unity Catalog\n\n> **CVSS Score:** 9.1\n> **Published:** 2026-05-11\n> **Full Report:** https://cvereports.com/reports/CVE-2026-27478\n\n## Summary\nUnity Catalog version 0.4.0 and prior contains a critical authentication bypass vulnerability in the token exchange endpoint. The server dynamically fetches JSON Web Key Sets (JWKS) based on unverified 'iss' (issuer) claims within incoming JSON Web Tokens (JWTs), allowing unauthenticated attackers to forge tokens and impersonate arbitrary users.\n\n## TL;DR\nA flaw in Unity Catalog's JWT validation allows complete authentication bypass. By supplying a malicious 'iss' claim, attackers force the server to fetch a public key from an attacker-controlled server to validate a forged token.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-290, CWE-346, CWE-1390\n- **Attack Vector**: Network\n- **CVSS v3.1**: 9.1 (Critical)\n- **EPSS Score**: 0.00023 (6.59%)\n- **Impact**: Complete Authentication Bypass / User Impersonation\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Unity Catalog <= 0.4.0\n- **unitycatalog**: <= 0.4.0 (Fixed in: `0.4.1`)\n\n## Mitigation\n\n- Upgrade Unity Catalog to version 0.4.1 or later.\n- Configure 'server.allowed-issuers' with a strict whitelist of trusted OIDC providers.\n- Configure 'server.audiences' to validate the intended recipient of incoming tokens.\n- Implement network egress filtering to restrict outbound HTTP requests from the Unity Catalog server to known identity providers.\n\n**Remediation Steps:**\n1. Download Unity Catalog version 0.4.1 from the official repository.\n2. Stop the running Unity Catalog service.\n3. Open the 'etc/conf/server.properties' configuration file.\n4. Add the 'server.allowed-issuers' property with your trusted IdP URLs (e.g., server.allowed-issuers=https://accounts.google.com).\n5. Add the 'server.audiences' property with your application client ID.\n6. Ensure 'server.authorization=enable' is set.\n7. Start the updated Unity Catalog service.\n8. Verify the application logs to ensure successful startup and proper configuration loading.\n\n## References\n\n- [GitHub Security Advisory GHSA-qqcj-rghw-829x](https://github.com/unitycatalog/unitycatalog/security/advisories/GHSA-qqcj-rghw-829x)\n- [NVD Detail CVE-2026-27478](https://nvd.nist.gov/vuln/detail/CVE-2026-27478)\n- [Patch Commit (Backport to 0.4)](https://github.com/unitycatalog/unitycatalog/commit/89b91863e4ec0ead5865a602a4203ed254c151da)\n- [Release Tag (v0.4.1)](https://github.com/unitycatalog/unitycatalog/releases/tag/v0.4.1)\n- [Documentation on Auth Configuration](https://github.com/unitycatalog/unitycatalog/blob/main/docs/server/auth.md)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-27478) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-11T18:10:29.000000Z"}