CVE-2026-27478
Authentication Bypass in Unity Catalog Token Exchange Endpoint
Publication date: 2026-03-11
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unitycatalog | unitycatalog | to 0.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1390 | The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. |
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27478 is a critical authentication bypass vulnerability in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens) of Unity Catalog versions 0.4.0 and earlier.
The vulnerability occurs because the endpoint extracts the issuer (iss) claim from incoming JWTs and dynamically fetches the JWKS endpoint for signature validation without verifying that the issuer is a trusted identity provider.
Additionally, the implementation does not validate the audience (aud) claim, allowing tokens intended for other services to be accepted.
An attacker can exploit this by hosting their own OIDC-compliant server with a valid JWKS endpoint, signing a JWT with their private key while setting the iss claim to their server and the sub/email claims to any known user in the Unity Catalog system.
The attacker then exchanges this crafted token for a valid internal access token, resulting in complete impersonation of any user and full access to all catalogs, schemas, tables, and resources that user can access.
How can this vulnerability impact me? :
This vulnerability allows an attacker to completely bypass authentication and impersonate any user within the Unity Catalog system.
By exploiting this flaw, an attacker gains full access to all catalogs, schemas, tables, and resources that the impersonated user can access.
The impact includes high confidentiality and integrity risks, as sensitive data can be accessed or manipulated without authorization.
The vulnerability has a CVSS v3.1 base score of 9.1 (Critical), indicating it is easily exploitable over the network without any privileges or user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for suspicious token exchange requests to the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens) that contain JWTs with untrusted issuer (iss) claims.'}, {'type': 'paragraph', 'content': 'One approach is to capture and inspect JWT tokens being sent to the endpoint to verify if the issuer claim corresponds to a trusted identity provider.'}, {'type': 'paragraph', 'content': 'Commands to assist in detection might include using network traffic capture tools such as tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint, for example:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/1.0/unity-control/auth/tokens'"}, {'type': 'paragraph', 'content': "Additionally, extracting and decoding JWT tokens from logs or captured traffic can be done using tools like jwt.io or command line utilities such as 'jq' combined with base64 decoding to inspect the iss claim."}, {'type': 'list_item', 'content': "Example command to decode JWT payload: echo '<JWT token>' | cut -d '.' -f2 | base64 -d | jq '.'"}, {'type': 'paragraph', 'content': 'Look for tokens where the issuer (iss) claim is not from a trusted identity provider or where the audience (aud) claim is missing or incorrect.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Unity Catalog token exchange endpoint and implementing strict validation of the issuer (iss) and audience (aud) claims in JWT tokens.
Since no patched versions are available, it is critical to apply network-level controls such as firewall rules or API gateway policies to only allow requests from trusted identity providers.
Additionally, monitoring and alerting on suspicious token exchange activity and anomalous access patterns can help detect exploitation attempts early.
Consider disabling or limiting the use of the vulnerable token exchange endpoint if possible until a fix is released.