CVE-2026-24069 PUBLISHED

Improper Enforcement of Disabled Accounts in WebUI SSO in Kiuwan SAST

Assigner: SEC-VLab
Reserved: 21.01.2026 Published: 14.04.2026 Updated: 14.04.2026

Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.

Product Status

Vendor Kiuwan
Product SAST
Versions Default: unaffected
  • Version <2.8.2509.4 is affected

Solutions

The issue was fixed for Kiuwan Cloud on 29 July 2025. For Kiuwan SAST on-premise (KOP), the issue is fixed in version 2.8.2509.4.

Credits

  • Bernhard Gründling, SEC Consult Vulnerability Lab finder
  • Fabian Würfl, SEC Consult Vulnerability Lab analyst
  • Johannes Greil, SEC Consult Vulnerability Lab analyst

References

Problem Types

  • CWE-863 Incorrect Authorization CWE

Impacts

  • CAPEC-114 Authentication Abuse