CVE-2026-24069 (GCVE-0-2026-24069)

Vulnerability from cvelistv5 – Published: 2026-04-14 11:26 – Updated: 2026-04-14 18:24
VLAI?
Title
Improper Enforcement of Disabled Accounts in WebUI SSO in Kiuwan SAST
Summary
Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.
Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
Vendor Product Version
Kiuwan SAST Affected: <2.8.2509.4
Create a notification for this product.
Credits
Bernhard Gründling, SEC Consult Vulnerability Lab Fabian Würfl, SEC Consult Vulnerability Lab Johannes Greil, SEC Consult Vulnerability Lab
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-24069",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T15:45:46.760607Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-14T15:45:49.812Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-14T18:24:36.801Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://seclists.org/fulldisclosure/2026/Apr/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAST",
          "vendor": "Kiuwan",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c2.8.2509.4"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bernhard Gr\u00fcndling, SEC Consult Vulnerability Lab"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Fabian W\u00fcrfl, SEC Consult Vulnerability Lab"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Johannes Greil, SEC Consult Vulnerability Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eKiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e"
            }
          ],
          "value": "Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-114",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-114 Authentication Abuse"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-14T11:26:55.274Z",
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://r.sec-consult.com/kiuwanlock"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe issue was fixed for Kiuwan Cloud on 29 July 2025. For Kiuwan SAST on-premise (KOP), the issue is fixed in version 2.8.2509.4.\u003c/p\u003e"
            }
          ],
          "value": "The issue was fixed for Kiuwan Cloud on 29 July 2025. For Kiuwan SAST on-premise (KOP), the issue is fixed in version 2.8.2509.4."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Improper Enforcement of Disabled Accounts in WebUI SSO in Kiuwan SAST",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "cveId": "CVE-2026-24069",
    "datePublished": "2026-04-14T11:26:55.274Z",
    "dateReserved": "2026-01-21T11:29:19.854Z",
    "dateUpdated": "2026-04-14T18:24:36.801Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-24069",
      "date": "2026-04-14",
      "epss": "0.00017",
      "percentile": "0.04065"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-24069\",\"sourceIdentifier\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"published\":\"2026-04-14T12:16:20.247\",\"lastModified\":\"2026-04-14T19:16:33.553\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://r.sec-consult.com/kiuwanlock\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"},{\"url\":\"http://seclists.org/fulldisclosure/2026/Apr/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://seclists.org/fulldisclosure/2026/Apr/5\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-14T18:24:36.801Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24069\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-14T15:45:46.760607Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-14T15:45:43.638Z\"}}], \"cna\": {\"title\": \"Improper Enforcement of Disabled Accounts in WebUI SSO in Kiuwan SAST\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Bernhard Gr\\u00fcndling, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Fabian W\\u00fcrfl, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Johannes Greil, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-114\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-114 Authentication Abuse\"}]}], \"affected\": [{\"vendor\": \"Kiuwan\", \"product\": \"SAST\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c2.8.2509.4\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The issue was fixed for Kiuwan Cloud on 29 July 2025. For Kiuwan SAST on-premise (KOP), the issue is fixed in version 2.8.2509.4.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe issue was fixed for Kiuwan Cloud on 29 July 2025. For Kiuwan SAST on-premise (KOP), the issue is fixed in version 2.8.2509.4.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://r.sec-consult.com/kiuwanlock\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eKiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2026-04-14T11:26:55.274Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24069\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-14T18:24:36.801Z\", \"dateReserved\": \"2026-01-21T11:29:19.854Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2026-04-14T11:26:55.274Z\", \"assignerShortName\": \"SEC-VLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.