CVE-2026-22734
Published: 17 April 2026
Summary
CVE-2026-22734 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Cloudfoundry (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of the UAA software vulnerability that accepts unsigned and unencrypted SAML 2.0 bearer assertions, directly preventing authentication bypass.
Manages identity providers and authorization servers like UAA by defining requirements for secure SAML protocols, including mandatory signatures and encryption on bearer assertions.
Protects the authenticity of communications sessions and transmitted authentication information, such as SAML assertions, to mitigate spoofing via unsigned or unencrypted tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote auth bypass in public UAA service via spoofed SAML assertions directly enables T1190 exploitation and T1078 account impersonation.
NVD Description
Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the…
more
UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted. This issue affects UUA from v77.30.0 to v78.7.0 (inclusive) and it affects CF Deployment from v48.7.0 to v54.14.0 (inclusive).
Deeper analysisAI
Cloud Foundry UAA (User Account and Authentication service) is vulnerable to an authentication bypass (CVE-2026-22734) that enables an attacker to obtain an access token for any user, thereby gaining unauthorized access to UAA-protected systems. The flaw arises when SAML 2.0 bearer assertions are enabled for a client, as UAA improperly accepts SAML 2.0 bearer assertions that lack both signatures and encryption. This issue affects UAA versions from v77.30.0 to v78.7.0 (inclusive) and Cloud Foundry (CF) Deployment versions from v48.7.0 to v54.14.0 (inclusive). The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and is associated with CWE-290 (Authentication Bypass by Spoofing).
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By crafting and submitting an unsigned, unencrypted SAML 2.0 bearer assertion for a targeted user when the feature is enabled, the attacker tricks UAA into issuing a valid token. This grants scope-changed access to confidential data in UAA-protected systems, potentially compromising user accounts across the Cloud Foundry environment.
The official advisory from Cloud Foundry, published on 2026-04-17, provides details on this SAML 2.0 signature bypass at https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml-2-0-signature-bypass/. Security practitioners should consult it for recommended mitigations, such as disabling SAML 2.0 bearer assertions or upgrading to unaffected versions outside the specified ranges.
Details
- CWE(s)