Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Cloudfoundry UAA Fails to Properly Revoke User Tokens
CVE-2026-22723
GHSA-6wcw-r64p-qrrw
Summary
A bug in Cloudfoundry UAA's token revocation system can cause user tokens to remain active even after they're supposed to be revoked. This can lead to unauthorized access to user accounts. Users should update to a fixed version of Cloudfoundry UAA to ensure token revocation works correctly.
What to do
- Update cloudfoundry org.cloudfoundry.identity:cloudfoundry-identity-server to version 78.8.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| cloudfoundry | org.cloudfoundry.identity:cloudfoundry-identity-server | > 77.30.0 , <= 78.8.0 | 78.8.0 |
Original title
Cloudfoundry UAA has logic error in the token revocation endpoint implementation
Original description
Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment v48.7.0 to v54.10.0.
nvd CVSS3.1
6.5
- https://www.cloudfoundry.org/blog/cve-2026-22723-uaa-user-token-revocation/
- https://nvd.nist.gov/vuln/detail/CVE-2026-22723
- https://www.cloudfoundry.org/blog/cve-2026-22723-uaa-user-token-revocation
- https://github.com/cloudfoundry/uaa/commit/74c88235b5bc6e61752624700e91f61fd724d...
- https://github.com/cloudfoundry/uaa/releases/tag/v78.8.0
- https://github.com/advisories/GHSA-6wcw-r64p-qrrw
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026