{"id":"CVE-2026-27478","summary":"Unity Catalog has a JWT Issuer Validation Bypass Allows Complete User Impersonation","details":"Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from incoming JWTs and uses it to dynamically fetch the JWKS endpoint for signature validation without validating that the issuer is a trusted identity provider.","aliases":["GHSA-qqcj-rghw-829x"],"modified":"2026-04-10T05:38:26.779333Z","published":"2026-03-11T19:36:03.271Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27478.json","cwe_ids":["CWE-1390","CWE-290","CWE-346"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27478.json"},{"type":"ADVISORY","url":"https://github.com/unitycatalog/unitycatalog/security/advisories/GHSA-qqcj-rghw-829x"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27478"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/unitycatalog/unitycatalog","events":[{"introduced":"0"},{"last_affected":"4fa81306825341728580f0ecd2733b58a029e53a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.4.0"}]}}],"versions":["ai-v0.3.0","v0.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27478.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}