Severity
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y
Vendor
CloudFoundry Foundation
Versions Affected
- UAA Release: v77.30.0 to v78.7.0
- CF Deployment: v48.7.0 to v54.10.0
Description
Cloud Foundry UAA release versions from v77.30.0 to v78.7.0 are vulnerable to inappropriate user token revocation due to a logic error in the token revocation endpoint implementation.
Affected Cloud Foundry Products and Versions
*Severity is high unless otherwise noted.
- uaa_release
-
- All versions from v77.30.0 to v78.7.0 (inclusive)
- CF Deployment
-
- All versions from v48.7.0 to v54.10.0 (inclusive)
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
- uaa_release
-
- Upgrade uaa_release versions to v78.8.0 or greater
- CF Deployment
-
- Upgrade cf-deployment version to v54.11.0 or greater
-
-
- Includes uaa_release v78.8.0
-
Credit
Self reported by the UAA Cloud Foundry team
History
February 2026: Initial vulnerability report published
