Cyber Resilience

CVE-2026-22734

High

Published: 17 April 2026

Published
17 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0036 28.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22734 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Cloudfoundry (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SI-2 (Flaw Remediation).

Deeper analysis

Cloud Foundry UAA (User Account and Authentication service) is vulnerable to an authentication bypass (CVE-2026-22734) that enables an attacker to obtain an access token for any user, thereby gaining unauthorized access to UAA-protected systems. The flaw arises when SAML 2.0 bearer assertions are enabled for a client, as UAA improperly accepts SAML 2.0 bearer assertions that lack both signatures and encryption. This issue affects UAA versions from v77.30.0 to v78.7.0 (inclusive) and Cloud Foundry (CF) Deployment versions from v48.7.0 to v54.14.0 (inclusive). The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and is associated with CWE-290 (Authentication Bypass by Spoofing).

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By crafting and submitting an unsigned, unencrypted SAML 2.0 bearer assertion for a targeted user when the feature is enabled, the attacker tricks UAA into issuing a valid token. This grants scope-changed access to confidential data in UAA-protected systems, potentially compromising user accounts across the Cloud Foundry environment.

The official advisory from Cloud Foundry, published on 2026-04-17, provides details on this SAML 2.0 signature bypass at https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml-2-0-signature-bypass/. Security practitioners should consult it for recommended mitigations, such as disabling SAML 2.0 bearer assertions or upgrading to unaffected versions outside the specified ranges.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the…

more

UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted. This issue affects UUA from v77.30.0 to v78.7.0 (inclusive) and it affects CF Deployment from v48.7.0 to v54.14.0 (inclusive).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Remote auth bypass in public UAA service via spoofed SAML assertions directly enables T1190 exploitation and T1078 account impersonation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42354Shared CWE-290
CVE-2025-71056Shared CWE-290
CVE-2018-25316Shared CWE-290
CVE-2026-0834Shared CWE-290
CVE-2025-69401Shared CWE-290
CVE-2025-27671Shared CWE-290
CVE-2026-31889Shared CWE-290
CVE-2026-35622Shared CWE-290
CVE-2026-34457Shared CWE-290
CVE-2026-8644Shared CWE-290

Affected Assets

Cloudfoundry
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the UAA software vulnerability that accepts unsigned and unencrypted SAML 2.0 bearer assertions, directly preventing authentication bypass.

prevent

Manages identity providers and authorization servers like UAA by defining requirements for secure SAML protocols, including mandatory signatures and encryption on bearer assertions.

prevent

Protects the authenticity of communications sessions and transmitted authentication information, such as SAML assertions, to mitigate spoofing via unsigned or unencrypted tokens.

References