CVE-2026-56425
Received Received - Intake
OAuth 2.0 State Parameter Weaknesses in AAD Authentication Plugin

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer headers, reverse proxies, access logs, or third-party infrastructure involved in the authentication flow. If obtained by an attacker, the leaked session identifier could potentially be used for session hijacking. Additionally, the implementation did not regenerate the session identifier after successful authentication, leaving authenticated sessions susceptible to session fixation attacks where an attacker forces a victim to use a known session identifier before login and later reuses that identifier after authentication. The OAuth state value was also not implemented as a dedicated, single-use nonce. This weakened CSRF protections and increased the risk of replay attacks against the OAuth callback process. The authentication flow further failed to enforce HTTPS for the configured OAuth redirect URI. If a non-HTTPS redirect URI was used, OAuth authorization codes and access tokens could traverse the network in plaintext, exposing sensitive credentials to network attackers. Finally, OAuth error responses containing attacker-controlled GET parameters were logged verbatim. An attacker could inject control characters or crafted log content, leading to log forging, log injection, or corruption of audit records. The fix introduces: * A dedicated cryptographically random OAuth state value. * Single-use state validation and invalidation. * Constant-time state comparison using hash_equals(). * Session identifier rotation after successful authentication. * Enforcement of HTTPS-only redirect URIs. * Sanitized and length-limited logging of OAuth error parameters. AAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-56425
EUVD
EUVD-2026-38228
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Azure Active Directory (AAD) authentication implementation in its OAuth 2.0 authorization flow. It involves multiple weaknesses such as using the PHP session identifier as the OAuth state parameter, which can leak session tokens through browser history, HTTP Referer headers, and other means.

Additionally, the session identifier was not regenerated after authentication, making sessions vulnerable to session fixation attacks. The OAuth state was not a dedicated, single-use nonce, weakening CSRF protections and increasing replay attack risks.

The flow also failed to enforce HTTPS for redirect URIs, risking exposure of authorization codes and tokens in plaintext. Finally, OAuth error responses logged attacker-controlled parameters without sanitization, enabling log injection or corruption.

Detection Guidance

Detection of this vulnerability involves checking for insecure OAuth 2.0 authorization flows in Azure Active Directory (AAD) authentication implementations, specifically looking for the use of PHP session identifiers as OAuth state parameters, lack of session ID regeneration after authentication, non-HTTPS redirect URIs, and unsanitized OAuth error logging.

Commands or methods to detect these issues may include:

  • Inspect OAuth redirect URLs and logs for exposure of PHP session identifiers (session_id()).
  • Check web server or application logs for OAuth error responses containing unfiltered GET parameters that could indicate log injection.
  • Verify that OAuth redirect URIs enforce HTTPS by reviewing configuration files or network traffic captures (e.g., using tcpdump or Wireshark) to detect any plaintext transmission of authorization codes or tokens.
  • Review session management behavior to confirm that session identifiers are regenerated after successful authentication, which may require code inspection or monitoring session ID changes.
Mitigation Strategies

Immediate mitigation steps include implementing the following security improvements in the AAD OAuth 2.0 authentication flow:

  • Replace the use of PHP session identifiers as the OAuth state parameter with a dedicated cryptographically random, single-use nonce.
  • Validate the OAuth state parameter using constant-time comparison (e.g., hash_equals()) and invalidate it after use to prevent replay attacks.
  • Regenerate the session identifier (session_regenerate_id(true)) after successful authentication to prevent session fixation attacks.
  • Enforce HTTPS-only redirect URIs to ensure authorization codes and access tokens are not transmitted in plaintext.
  • Sanitize and limit the length of OAuth error parameters before logging to prevent log injection or log forging.
  • Review and update security documentation and configuration to use specific tenant IDs and enable AD group checks to prevent unauthorized access.
Compliance Impact

The vulnerability in the Azure Active Directory (AAD) OAuth 2.0 authentication flow exposes session identifiers and access tokens through insecure handling, which can lead to session hijacking, session fixation, replay attacks, and exposure of sensitive credentials. Such weaknesses can result in unauthorized access to protected data.

These security issues could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strong protections for personal and sensitive data, including secure authentication mechanisms and protection against unauthorized access.

Specifically, leaking session tokens and failing to enforce HTTPS could lead to data breaches or unauthorized data exposure, which are violations of data protection requirements under these regulations.

The fixes introducedβ€”such as cryptographically random OAuth state values, session ID rotation, HTTPS enforcement, and sanitized loggingβ€”help mitigate these risks and support compliance by strengthening authentication security and protecting sensitive data.

Impact Analysis

This vulnerability can lead to session hijacking if an attacker obtains leaked session identifiers, allowing unauthorized access to user sessions.

It also enables session fixation attacks, where an attacker forces a victim to use a known session ID and later reuses it after authentication.

Weak CSRF protections and replay attack risks can allow attackers to manipulate OAuth callbacks, potentially gaining unauthorized access.

If HTTPS is not enforced, sensitive OAuth tokens can be intercepted by network attackers.

Log injection vulnerabilities can corrupt audit logs, hindering forensic investigations and security monitoring.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56425. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart