If your security model assumes underlying runtimes actually parse strings correctly, I have some terrible news for you.
🪪 The "Trust Me, Bro" JWT
Authlib's JWS implementation has a fatal fallback flaw. If you feed it an unknown key ID, the JWKS resolver legitimately returns `None`. Instead of throwing an error, the library shrugs and verifies the token against the attacker’s own injected public key found in the header. Unauthenticated attackers can mint valid admin tokens out of thin air to bypass authentication entirely. Upgrade to Authlib 1.6.9 immediately.
🪤 SSRF by Punctuation
Spinnaker thought they patched their SSRF vulnerabilities, but they forgot one minor detail: Java’s URL parser completely mishandles hostnames containing the `_` character. Attackers just lace their payloads with the symbol to sail right past the validation filters in Clouddriver and Orca. Your CI/CD pipeline becomes a weaponized open proxy to scrape IMDS cloud credentials and pivot into internal networks. Get the latest Spinnaker patches deployed to shut this down.
📂 Zero-Friction Root Shells
Nextcloud Flow is shipping a nasty path traversal flaw courtesy of the underlying Windmill framework. Unauthenticated attackers can simply walk the directory tree to rip the `SUPERADMIN_SECRET` in plaintext. From there, it’s a straight shot to authenticating and dropping into a root shell inside the container. Update Nextcloud Flow to version 1.3.0 right now, or kill the container until you can patch.