CVE-2026-14336
Received Received - Intake

OpenID Connect Issuer Spoofing in PIA for Jenkins Tokens

Vulnerability report for CVE-2026-14336, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Eclipse Foundation

Description

PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://[email protected] (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
eclipse pia to 0.3.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14336 is a vulnerability in Eclipse CSI - PIA versions 0.3.0 and earlier involving an unauthenticated Server-Side Request Forgery (SSRF) issue in the OpenID Connect (OIDC) verification process.

The problem arises because the system uses a weak issuer allowlist check that relies on a simple string-prefix comparison instead of properly validating the issuer as a host-bounded URL.

Attackers can exploit this by crafting malicious issuer values that bypass the prefix check, such as using the userinfo trick (e.g., https://[email protected]) or the suffix trick (e.g., https://ci.eclipse.org.evil.host).

This allows attackers to redirect outbound HTTP(S) requests to servers they control during OIDC discovery and JWKS fetches, and to have the system accept JSON Web Tokens (JWTs) signed with the attacker’s own keys.

Impact Analysis

This vulnerability can have serious impacts on confidentiality and integrity.

An unauthenticated attacker can force the affected system to make arbitrary outbound HTTP(S) requests to attacker-controlled servers, potentially exposing internal network information or triggering unwanted actions.

Additionally, the attacker can manipulate the OIDC token verification process to accept forged JWTs signed with their own keys, potentially allowing unauthorized access or actions within the system.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual outbound HTTP(S) requests initiated by the PIA service, especially those targeting unexpected or suspicious hosts that resemble the crafted issuer patterns such as 'https://[email protected]' or 'https://ci.eclipse.org.evil.host'.

Network administrators can use network traffic analysis tools or commands to identify such suspicious outbound requests.

  • Use tcpdump or Wireshark to capture outbound HTTP(S) traffic from the PIA server and filter for unusual destination hosts.
  • Example tcpdump command: sudo tcpdump -i <interface> 'tcp dst port 80 or tcp dst port 443' and host not in expected hosts
  • Check application logs for POST requests to /v1/upload/sbom endpoint, which is exploited by unauthenticated attackers.
  • Use grep or similar tools to search logs: grep '/v1/upload/sbom' /path/to/pia/logs/*
Mitigation Strategies

Immediate mitigation steps include restricting or blocking outbound HTTP(S) requests from the PIA service to untrusted or external hosts to prevent SSRF exploitation.

Additionally, applying any available patches or updates from Eclipse that address this vulnerability is critical.

  • Implement network-level egress filtering to limit outbound connections from the PIA server.
  • Review and update the OIDC issuer allowlist validation logic to properly validate host-bounded URLs instead of using a simple string prefix check.
  • Monitor and audit usage of the POST /v1/upload/sbom endpoint for unauthorized access.
Compliance Impact

The vulnerability allows an attacker to manipulate the OIDC token verification process and force the system to make outbound requests to attacker-controlled servers, potentially compromising confidentiality and integrity.

Such impacts on confidentiality and integrity could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure authentication mechanisms.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart