CVE-2026-22723
MEDIUM6.5EPSS 0.08%Cloudfoundry UAA has logic error in the token revocation endpoint implementation
Published: 3/5/2026Modified: 3/9/2026
Also known as:GHSA-6wcw-r64p-qrrw
Description
Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment v48.7.0 to v54.10.0.
Affected packages (1)
- Maven/org.cloudfoundry.identity:cloudfoundry-identity-server>= 77.30.0, < 78.8.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-22723
- PATCHhttps://github.com/cloudfoundry/uaa
- WEBhttps://github.com/cloudfoundry/uaa/commit/74c88235b5bc6e61752624700e91f61fd724dfcd
- WEBhttps://github.com/cloudfoundry/uaa/releases/tag/v78.8.0
- WEBhttps://www.cloudfoundry.org/blog/cve-2026-22723-uaa-user-token-revocation