Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Federated Identity User Data Replacement with Silent JIT Provisioning
CVE-2024-1524
Summary
Enabling Silent JIT Provisioning for federated IDPs risks replacing local user data if a malicious actor knows a local user's username and creates an account matching it on the federated IDP. To mitigate, ensure that no local user names match federated user names or disable JIT provisioning. Review your IDP settings and adjust them according to your security policies.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wso2 | api_manager | > 4.2.0 , <= 4.2.0.108 | – |
| wso2 | identity_server | > 6.0.0 , <= 6.0.0.171 | – |
| wso2 | identity_server | > 6.1.0 , <= 6.1.0.128 | – |
Original title
When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account...
Original description
When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users.
There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control.
The Deployment should have:
-An IDP configured for federated authentication with Silent JIT provisioning enabled.
The malicious actor should have:
-A fresh valid user account in the federated IDP that has not been used earlier.
-Knowledge of the username of a valid user in the local IDP.
-An account at the federated IDP matching the targeted local username.
There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control.
The Deployment should have:
-An IDP configured for federated authentication with Silent JIT provisioning enabled.
The malicious actor should have:
-A fresh valid user account in the federated IDP that has not been used earlier.
-Knowledge of the username of a valid user in the local IDP.
-An account at the federated IDP matching the targeted local username.
nvd CVSS3.1
8.1
Vulnerability type
CWE-290
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026