Vulnerability Description
MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-9084?
CVE-2026-9084 is a documented vulnerability. MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecur...
How severe is CVE-2026-9084?
CVSS scoring is not yet available for CVE-2026-9084. Check NVD for updates.
Is there a patch for CVE-2026-9084?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.