Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2023-20903 – Tokens for inactivated IDPs are not revoked and remain valid until expiration



CVSS score: 2.7 (Low)


Cloud Foundry Foundation

Versions Affected

All versions


This disclosure regards a vulnerability related to UAA refresh tokens and external identity providers.
Assuming that:

  • an external identity provider is linked to the UAA
  • a refresh token is issued to a client on behalf of a user from that identity provider
  • the administrator of the UAA deactivates the identity provider from the UAA

It is expected that the UAA would reject a refresh token during a refresh token grant, but it does not (hence the vulnerability). It will continue to issue access tokens to request presenting such refresh tokens, as if the identity provider was still active.

As a result, clients with refresh tokens issued through the deactivated identity provider would still have access to Cloud Foundry resources until their refresh token expires (which defaults to 30 days).

Affected Cloud Foundry Products and Versions

*Severity is 2.7 unless otherwise noted.

  • UAA
  • all supported releases


Users of Cloud Foundry and UAA are encouraged to follow the mitigations below.

When updating an identity provider’s setting in the UAA to become inactive (set “active” to “false”), if you expect all tokens to be revoked, you should revoke them manually by calling one of the endpoints for revoking tokens.

At this time this notice is provided for your information only. Users are encouraged to apply the mitigation to their UAA identity provider management process.


This issue was responsibly reported by Florian Tack (SAP)


2023-03-20: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR