DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27478: CVE-2026-27478: Authentication Bypass via Dynamic JWKS Discovery in Unity Catalog

#security #cve #cybersecurity

CVE-2026-27478: Authentication Bypass via Dynamic JWKS Discovery in Unity Catalog

Vulnerability ID: CVE-2026-27478
CVSS Score: 9.1
Published: 2026-05-11

Unity Catalog version 0.4.0 and prior contains a critical authentication bypass vulnerability in the token exchange endpoint. The server dynamically fetches JSON Web Key Sets (JWKS) based on unverified 'iss' (issuer) claims within incoming JSON Web Tokens (JWTs), allowing unauthenticated attackers to forge tokens and impersonate arbitrary users.

TL;DR

A flaw in Unity Catalog's JWT validation allows complete authentication bypass. By supplying a malicious 'iss' claim, attackers force the server to fetch a public key from an attacker-controlled server to validate a forged token.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-290, CWE-346, CWE-1390
  • Attack Vector: Network
  • CVSS v3.1: 9.1 (Critical)
  • EPSS Score: 0.00023 (6.59%)
  • Impact: Complete Authentication Bypass / User Impersonation
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • Unity Catalog <= 0.4.0
  • unitycatalog: <= 0.4.0 (Fixed in: 0.4.1)

Code Analysis

Commit: 89b9186

Fix token exchange endpoint to validate issuer and audience claims

Introduces server.allowed-issuers and server.audiences logic before JWKS fetch.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Unity Catalog to version 0.4.1 or later.
  • Configure 'server.allowed-issuers' with a strict whitelist of trusted OIDC providers.
  • Configure 'server.audiences' to validate the intended recipient of incoming tokens.
  • Implement network egress filtering to restrict outbound HTTP requests from the Unity Catalog server to known identity providers.

Remediation Steps:

  1. Download Unity Catalog version 0.4.1 from the official repository.
  2. Stop the running Unity Catalog service.
  3. Open the 'etc/conf/server.properties' configuration file.
  4. Add the 'server.allowed-issuers' property with your trusted IdP URLs (e.g., server.allowed-issuers=https://accounts.google.com).
  5. Add the 'server.audiences' property with your application client ID.
  6. Ensure 'server.authorization=enable' is set.
  7. Start the updated Unity Catalog service.
  8. Verify the application logs to ensure successful startup and proper configuration loading.

References

Read the full report for CVE-2026-27478 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)