CVE-2026-8590 PUBLISHED

Spotfire OAuth2 PKCE Bypass for public clients

Assigner: Spotfire
Reserved: 14.05.2026 Published: 14.07.2026 Updated: 14.07.2026

Vulnerability in Spotfire Spotfire Enterprise (Spotfire Server modules), Spotfire Spotfire Enterprise with External Consumers (Spotfire Server modules), Spotfire Spotfire on Kubernetes (Spotfire Server modules).

This issue affects Spotfire Enterprise: through 14.0.12, through 14.4.2, through 14.5.0, through 14.6.1, through 14.6.2, through 14.7.0, through 14.8.0; Spotfire Enterprise with External Consumers: through 14.0.12, through 14.5.0, through 14.6.0, through 14.6.1, through 14.6.2, through 14.7.0, through 14.8.0; Spotfire on Kubernetes: through 4.2.0, 5.0.X, 6.0.X.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Spotfire
Product Spotfire Enterprise
Versions Default: affected
  • affected from 0 to 14.0.12 (incl.)
  • affected from 0 to 14.4.2 (incl.)
  • affected from 0 to 14.5.0 (incl.)
  • affected from 0 to 14.6.1 (incl.)
  • affected from 0 to 14.6.2 (incl.)
  • affected from 0 to 14.7.0 (incl.)
  • affected from 0 to 14.8.0 (incl.)
Vendor Spotfire
Product Spotfire Enterprise with External Consumers
Versions Default: affected
  • affected from 0 to 14.0.12 (incl.)
  • affected from 0 to 14.5.0 (incl.)
  • affected from 0 to 14.6.0 (incl.)
  • affected from 0 to 14.6.1 (incl.)
  • affected from 0 to 14.6.2 (incl.)
  • affected from 0 to 14.7.0 (incl.)
  • affected from 0 to 14.8.0 (incl.)
Vendor Spotfire
Product Spotfire on Kubernetes
Versions Default: affected
  • affected from 0 to 4.2.0 (incl.)
  • Version 5.0.x is affected
  • Version 6.0.x is affected

References