CVE-2026-22723 - Vulnerability Details - OpenCVE

Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment v48.7.0 to v54.10.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Cloudfoundry	Uaa

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/mdr-for-endpoint
https://www.cloudfoundry.org/blog/cve-2026-22723-uaa-user-token-revocation/

History

Fri, 06 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cloudfoundry Cloudfoundry uaa
Vendors & Products		Cloudfoundry Cloudfoundry uaa

Thu, 05 Mar 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment v48.7.0 to v54.10.0.
Title		UAA User Token Revocation logic error
References		https://www.cloudfoundry.org/blog/cve-2026-22723-uaa-user-token-revocation/
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-03-05T20:40:27.743Z

Updated: 2026-03-06T16:31:36.817Z

Reserved: 2026-01-09T06:54:36.841Z

Link: CVE-2026-22723

Vulnrichment

Updated: 2026-03-06T16:31:33.348Z

NVD

Status : Received

Published: 2026-03-05T21:16:14.610

Modified: 2026-03-05T21:16:14.610

Link: CVE-2026-22723

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22723", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:36.841Z", "datePublished": "2026-03-05T20:40:27.743Z", "dateUpdated": "2026-03-06T16:31:36.817Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "UAA", "vendor": "Cloudfoundry Foundation", "versions": [{"lessThanOrEqual": "v78.7.0", "status": "affected", "version": "77.30.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Inappropriate user token revocation <span style=\"background-color: rgb(255, 255, 255);\">due to a logic error in the token revocation endpoint implementation </span>in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment <span style=\"background-color: rgb(255, 255, 255);\">v48.7.0 to v54.10.0.</span></span><br>"}], "value": "Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation\u00a0in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment\u00a0v48.7.0 to v54.10.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-05T20:40:27.743Z"}, "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2026-22723-uaa-user-token-revocation/"}], "source": {"discovery": "UNKNOWN"}, "title": "UAA User Token Revocation logic error", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T16:31:29.833923Z", "id": "CVE-2026-22723", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:31:36.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22723", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T16:31:29.833923Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:31:33.348Z"}}], "cna": {"title": "UAA User Token Revocation logic error", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Cloudfoundry Foundation", "product": "UAA", "versions": [{"status": "affected", "version": "77.30.0", "versionType": "custom", "lessThanOrEqual": "v78.7.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cloudfoundry.org/blog/cve-2026-22723-uaa-user-token-revocation/"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation\u00a0in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment\u00a0v48.7.0 to v54.10.0.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Inappropriate user token revocation <span style=\"background-color: rgb(255, 255, 255);\">due to a logic error in the token revocation endpoint implementation </span>in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment <span style=\"background-color: rgb(255, 255, 255);\">v48.7.0 to v54.10.0.</span></span><br>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-05T20:40:27.743Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22723", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:31:36.817Z", "dateReserved": "2026-01-09T06:54:36.841Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-05T20:40:27.743Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}