All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-50629
MEDIUMpublished 2026-06-12 10:16 UTC · 13 days ago · modified 2026-06-12 19:04 UTC
5.3
CVSS / 10
// description
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
// weaknesses (CWE)
- CWE-93