Executive Summary

CVE-2026-27478 is a critical authentication bypass vulnerability in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens) of Unity Catalog versions 0.4.0 and earlier.

The vulnerability occurs because the endpoint extracts the issuer (iss) claim from incoming JWTs and dynamically fetches the JWKS endpoint for signature validation without verifying that the issuer is a trusted identity provider.

Additionally, the implementation does not validate the audience (aud) claim, allowing tokens intended for other services to be accepted.

An attacker can exploit this by hosting their own OIDC-compliant server with a valid JWKS endpoint, signing a JWT with their private key while setting the iss claim to their server and the sub/email claims to any known user in the Unity Catalog system.

The attacker then exchanges this crafted token for a valid internal access token, resulting in complete impersonation of any user and full access to all catalogs, schemas, tables, and resources that user can access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to completely bypass authentication and impersonate any user within the Unity Catalog system.

By exploiting this flaw, an attacker gains full access to all catalogs, schemas, tables, and resources that the impersonated user can access.

The impact includes high confidentiality and integrity risks, as sensitive data can be accessed or manipulated without authorization.

The vulnerability has a CVSS v3.1 base score of 9.1 (Critical), indicating it is easily exploitable over the network without any privileges or user interaction.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for suspicious token exchange requests to the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens) that contain JWTs with untrusted issuer (iss) claims.'}, {'type': 'paragraph', 'content': 'One approach is to capture and inspect JWT tokens being sent to the endpoint to verify if the issuer claim corresponds to a trusted identity provider.'}, {'type': 'paragraph', 'content': 'Commands to assist in detection might include using network traffic capture tools such as tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint, for example:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/1.0/unity-control/auth/tokens'"}, {'type': 'paragraph', 'content': "Additionally, extracting and decoding JWT tokens from logs or captured traffic can be done using tools like jwt.io or command line utilities such as 'jq' combined with base64 decoding to inspect the iss claim."}, {'type': 'list_item', 'content': "Example command to decode JWT payload: echo '<JWT token>' | cut -d '.' -f2 | base64 -d | jq '.'"}, {'type': 'paragraph', 'content': 'Look for tokens where the issuer (iss) claim is not from a trusted identity provider or where the audience (aud) claim is missing or incorrect.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Unity Catalog token exchange endpoint and implementing strict validation of the issuer (iss) and audience (aud) claims in JWT tokens.

Since no patched versions are available, it is critical to apply network-level controls such as firewall rules or API gateway policies to only allow requests from trusted identity providers.

Additionally, monitoring and alerting on suspicious token exchange activity and anomalous access patterns can help detect exploitation attempts early.

Consider disabling or limiting the use of the vulnerable token exchange endpoint if possible until a fix is released.

Useful 0 Not Useful 0