{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27478", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T19:46:03.540Z", "datePublished": "2026-03-11T19:36:03.271Z", "dateUpdated": "2026-03-12T19:57:39.336Z"}, "containers": {"cna": {"title": "Unity Catalog has a JWT Issuer Validation Bypass Allows Complete User Impersonation", "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1390", "lang": "en", "description": "CWE-1390: Weak Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/unitycatalog/unitycatalog/security/advisories/GHSA-qqcj-rghw-829x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/unitycatalog/unitycatalog/security/advisories/GHSA-qqcj-rghw-829x"}], "affected": [{"vendor": "unitycatalog", "product": "unitycatalog", "versions": [{"version": "<= 0.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:36:03.271Z"}, "descriptions": [{"lang": "en", "value": "Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from incoming JWTs and uses it to dynamically fetch the JWKS endpoint for signature validation without validating that the issuer is a trusted identity provider."}], "source": {"advisory": "GHSA-qqcj-rghw-829x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:57:32.423355Z", "id": "CVE-2026-27478", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:57:39.336Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27478", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T19:57:32.423355Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:57:35.846Z"}}], "cna": {"title": "Unity Catalog has a JWT Issuer Validation Bypass Allows Complete User Impersonation", "source": {"advisory": "GHSA-qqcj-rghw-829x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "unitycatalog", "product": "unitycatalog", "versions": [{"status": "affected", "version": "<= 0.4.0"}]}], "references": [{"url": "https://github.com/unitycatalog/unitycatalog/security/advisories/GHSA-qqcj-rghw-829x", "name": "https://github.com/unitycatalog/unitycatalog/security/advisories/GHSA-qqcj-rghw-829x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from incoming JWTs and uses it to dynamically fetch the JWKS endpoint for signature validation without validating that the issuer is a trusted identity provider."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290: Authentication Bypass by Spoofing"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1390", "description": "CWE-1390: Weak Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T19:36:03.271Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27478", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:57:39.336Z", "dateReserved": "2026-02-19T19:46:03.540Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T19:36:03.271Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:unitycatalog:unitycatalog:*:*:*:*:data:*:*:*", "matchCriteriaId": "9F8FADA8-01BB-4960-B167-32A34E6DB6E3", "versionEndIncluding": "0.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unity Catalog is an open, multi-modal Catalog for data and AI. In 0.4.0 and earlier, a critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from incoming JWTs and uses it to dynamically fetch the JWKS endpoint for signature validation without validating that the issuer is a trusted identity provider."}, {"lang": "es", "value": "Unity Catalog es un Cat\u00e1logo abierto y multimodal para datos e IA. En la versi\u00f3n 0.4.0 y anteriores, existe una vulnerabilidad cr\u00edtica de omisi\u00f3n de autenticaci\u00f3n en el endpoint de intercambio de tokens de Unity Catalog (/API/1.0/unity-control/auth/tokens). El endpoint extrae la declaraci\u00f3n del emisor (iss) de los JWT entrantes y la utiliza para obtener din\u00e1micamente el endpoint JWKS para la validaci\u00f3n de firmas sin validar que el emisor sea un proveedor de identidad de confianza."}], "id": "CVE-2026-27478", "lastModified": "2026-03-16T20:24:07.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T20:16:14.810", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/unitycatalog/unitycatalog/security/advisories/GHSA-qqcj-rghw-829x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}, {"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-1390"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "unitycatalog", "source": "cna", "vendor": "unitycatalog"}, "product": "unitycatalog", "vendor": "unitycatalog"}], "analysis": {"en": {"generated_at": "2026-03-16T23:10:59.138513+00:00", "value": {"mitigation_remediation": ["Upgrade Unity Catalog to the latest version (0.4.1 or later) as released by the vendor.", "Configure the token exchange endpoint to validate the issuer against a whitelist of trusted identity providers.", "Disable or restrict access to the token exchange endpoint for untrusted networks or clients.", "Monitor authentication logs for suspicious token exchange activity.", "Review and apply any additional security advisories linked at https://github.com/unitycatalog/unitycatalog/security/advisories/GHSA-qqcj-rghw-829x."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass leading to User Impersonation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Unity Catalog product from the vendor unitycatalog. Applicable versions are 0.4.0 and any earlier releases. The affected CPE string is cpe:2.3:a:unitycatalog:unitycatalog:*:*:*:*:data:*:*:*, indicating the generic data and AI catalog platform.", "description_and_impact": "In Unity Catalog versions 0.4.0 and earlier, the token exchange endpoint (/api/1.0/unity-control/auth/tokens) retrieves the issuer (iss) claim from incoming JWTs and uses that value to dynamically fetch the corresponding JWKS endpoint for signature validation, but it does not verify that the issuer is a trusted identity provider. This omission allows an attacker to craft a JWT signed by an arbitrary issuer and successfully pass authentication, effectively impersonating any user in the system. The vulnerability is classified under CWE-1390, CWE-290, and CWE-346.", "risk_and_exploitability": "The CVSS score of 9.1 categorizes this as a critical severity vulnerability. The EPSS score of less than 1% suggests the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. While the exact attack vector is not explicitly stated in the provided data, it is inferred that an attacker would need network access to the token exchange endpoint, making it an online exploit scenario. Successful exploitation permits full user impersonation, compromising confidentiality, integrity, and potentially the availability of data services within the affected Unity Catalog deployment."}}}}, "created": "2026-03-12T09:56:38.077688+00:00", "updated": "2026-03-23T09:55:17.637991+00:00", "vendors": ["unitycatalog", "unitycatalog$PRODUCT$unitycatalog"]}