Skip to content

Commit 3f3b31e

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-5568-6qcg-g7fx GHSA-75hx-xj24-mqrw GHSA-7m55-2hr4-pw78 GHSA-m5gr-86j6-99jp GHSA-w5fq-8965-c969 GHSA-5568-6qcg-g7fx
1 parent ae2408c commit 3f3b31e

6 files changed

Lines changed: 468 additions & 40 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-5568-6qcg-g7fx/GHSA-5568-6qcg-g7fx.json

Lines changed: 198 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,198 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5568-6qcg-g7fx",
4+
"modified": "2026-04-10T21:01:01Z",
5+
"published": "2026-04-10T12:31:44Z",
6+
"aliases": [
7+
"CVE-2026-39304"
8+
],
9+
"summary": " Apache ActiveMQ: Denial of Service via Out of Memory vulnerability",
10+
"details": "Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\n\nActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\n\nNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\nThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\n\nUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "org.apache.activemq:activemq-client"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "5.19.4"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Maven",
40+
"name": "org.apache.activemq:activemq-client"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "6.0.0"
48+
},
49+
{
50+
"fixed": "6.2.4"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Maven",
59+
"name": "org.apache.activemq:activemq-broker"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "0"
67+
},
68+
{
69+
"fixed": "5.19.4"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Maven",
78+
"name": "org.apache.activemq:activemq-broker"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "6.0.0"
86+
},
87+
{
88+
"fixed": "6.2.4"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Maven",
97+
"name": "org.apache.activemq:activemq-all"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "0"
105+
},
106+
{
107+
"fixed": "5.19.4"
108+
}
109+
]
110+
}
111+
]
112+
},
113+
{
114+
"package": {
115+
"ecosystem": "Maven",
116+
"name": "org.apache.activemq:activemq-all"
117+
},
118+
"ranges": [
119+
{
120+
"type": "ECOSYSTEM",
121+
"events": [
122+
{
123+
"introduced": "6.0.0"
124+
},
125+
{
126+
"fixed": "6.2.4"
127+
}
128+
]
129+
}
130+
]
131+
},
132+
{
133+
"package": {
134+
"ecosystem": "Maven",
135+
"name": "org.apache.activemq:apache-activemq"
136+
},
137+
"ranges": [
138+
{
139+
"type": "ECOSYSTEM",
140+
"events": [
141+
{
142+
"introduced": "0"
143+
},
144+
{
145+
"fixed": "5.19.4"
146+
}
147+
]
148+
}
149+
]
150+
},
151+
{
152+
"package": {
153+
"ecosystem": "Maven",
154+
"name": "org.apache.activemq:apache-activemq"
155+
},
156+
"ranges": [
157+
{
158+
"type": "ECOSYSTEM",
159+
"events": [
160+
{
161+
"introduced": "6.0.0"
162+
},
163+
{
164+
"fixed": "6.2.4"
165+
}
166+
]
167+
}
168+
]
169+
}
170+
],
171+
"references": [
172+
{
173+
"type": "ADVISORY",
174+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39304"
175+
},
176+
{
177+
"type": "WEB",
178+
"url": "https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt"
179+
},
180+
{
181+
"type": "PACKAGE",
182+
"url": "https://github.com/apache/activemq"
183+
},
184+
{
185+
"type": "WEB",
186+
"url": "http://www.openwall.com/lists/oss-security/2026/04/09/17"
187+
}
188+
],
189+
"database_specific": {
190+
"cwe_ids": [
191+
"CWE-400"
192+
],
193+
"severity": "HIGH",
194+
"github_reviewed": true,
195+
"github_reviewed_at": "2026-04-10T21:01:01Z",
196+
"nvd_published_at": "2026-04-10T11:16:23Z"
197+
}
198+
}

advisories/github-reviewed/2026/04/GHSA-75hx-xj24-mqrw/GHSA-75hx-xj24-mqrw.json

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-75hx-xj24-mqrw",
4+
"modified": "2026-04-10T20:59:58Z",
5+
"published": "2026-04-10T20:59:58Z",
6+
"aliases": [],
7+
"summary": "n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport",
8+
"details": "### Summary\n\nSeveral HTTP transport endpoints in n8n-mcp lacked proper authentication, and the health check endpoint exposed sensitive operational metadata without credentials.\n\n### Impact\n\nAn unauthenticated attacker with network access to the n8n-mcp HTTP server could disrupt active MCP sessions and gather information useful for further attacks.\n\n### Patches\n\nFixed in **v2.47.6**. All MCP session endpoints now require Bearer authentication. The health check endpoint has been reduced to a minimal liveness response.\n\n### Workarounds\n\nIf you cannot upgrade immediately:\n\n- **Restrict network access** to the HTTP server using firewall rules, reverse proxy IP allowlists, or a VPN so that only trusted clients can reach it.\n- **Use stdio mode** (`MCP_MODE=stdio`) instead of HTTP mode. The stdio transport does not expose any HTTP endpoints and is unaffected by this vulnerability.\n\nUpgrading to v2.47.6 is still strongly recommended.\n\n### Credit\n\nReported by @yotampe-pluto.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "npm",
19+
"name": "n8n-mcp"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "2.47.6"
30+
}
31+
]
32+
}
33+
],
34+
"database_specific": {
35+
"last_known_affected_version_range": "<= 2.47.5"
36+
}
37+
}
38+
],
39+
"references": [
40+
{
41+
"type": "WEB",
42+
"url": "https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-75hx-xj24-mqrw"
43+
},
44+
{
45+
"type": "WEB",
46+
"url": "https://github.com/czlonkowski/n8n-mcp/commit/ca9d4b3df6419b8338983be98f7940400f78bde3"
47+
},
48+
{
49+
"type": "PACKAGE",
50+
"url": "https://github.com/czlonkowski/n8n-mcp"
51+
},
52+
{
53+
"type": "WEB",
54+
"url": "https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.6"
55+
}
56+
],
57+
"database_specific": {
58+
"cwe_ids": [
59+
"CWE-306"
60+
],
61+
"severity": "HIGH",
62+
"github_reviewed": true,
63+
"github_reviewed_at": "2026-04-10T20:59:58Z",
64+
"nvd_published_at": null
65+
}
66+
}

advisories/github-reviewed/2026/04/GHSA-7m55-2hr4-pw78/GHSA-7m55-2hr4-pw78.json

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-7m55-2hr4-pw78",
4+
"modified": "2026-04-10T21:00:35Z",
5+
"published": "2026-04-10T21:00:35Z",
6+
"aliases": [
7+
"CVE-2026-5774"
8+
],
9+
"summary": "Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence",
10+
"details": "### Summary\n\nThe localLoginHandlers struct in the Juju API server maintains an in-memory map to store discharge tokens following successful local authentication. This map is accessed concurrently from multiple HTTP handler goroutines without any synchronization primitive protecting it. The absence of a mutex or equivalent mechanism means that concurrent reads, writes, and deletes on the map can trigger Go runtime panics and may allow a discharge token to be consumed more than once before deletion completes.\n\n### Details\n\nWhen a user authenticates through the local login flow, a discharge token is generated and stored in a plain `map[string]string` field named userTokens. The form handler writes to this map when authentication succeeds, and the third-party caveat checker reads from and deletes from the same map when a discharge request arrives. Both code paths execute inside goroutines dispatched by the HTTP server, meaning concurrent requests will access the map simultaneously.\n\nGo's runtime detects concurrent map access and will terminate the process with a fatal error when a write races with another write or read. This makes the API server susceptible to a denial-of-service attack from any authenticated user who can trigger simultaneous discharge requests. Beyond the crash scenario, the read-then-delete sequence in the caveat checker is not atomic. Two goroutines processing the same token concurrently may both pass the existence check before either executes the deletion, allowing a single-use discharge token to be accepted more than once and effectively replaying authentication.\n\nThe struct definition that introduces the unsafe field is shown below.\n\n```go\ntype localLoginHandlers struct {\n authCtxt *authContext\n userTokens map[string]string\n}\n```\n\nThe concurrent access originates from the caveat checker calling `username, ok := h.userTokens[tokenString]` followed by `delete(h.userTokens, tokenString)` with no lock held, while formHandler concurrently executes `h.userTokens[token] = username` in a separate goroutine.\n\n### PoC\n\n```go\npackage main\n\nimport (\n \"net/http\"\n \"sync\"\n)\n\nfunc main() {\n token := \"acquired-discharge-token\"\n endpoint := \"https://target-juju-api:17070/local-login/discharge\"\n\n var wg sync.WaitGroup\n for i := 0; i < 20; i++ {\n wg.Add(1)\n go func() {\n defer wg.Done()\n req, _ := http.NewRequest(\"GET\", endpoint+\"?token=\"+token, nil)\n http.DefaultClient.Do(req)\n }()\n }\n wg.Wait()\n}\n```\n\n### Impact\n\nAny authenticated user who obtains a valid discharge token can send a burst of concurrent requests to the discharge endpoint. The most reliable outcome is a Go runtime panic caused by concurrent map access, which terminates the Juju API server process and denies service to all connected clients and agents. Under favorable timing conditions the same token may be accepted by multiple goroutines before deletion, bypassing the single-use enforcement and allowing repeated authentication with a token that should have been invalidated after first use.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/juju/juju"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.0.0-20260408003526-d395054dc2c3"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5774"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/juju/juju/pull/22205"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/juju/juju/pull/22206"
54+
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/juju/juju"
58+
}
59+
],
60+
"database_specific": {
61+
"cwe_ids": [
62+
"CWE-362"
63+
],
64+
"severity": "MODERATE",
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2026-04-10T21:00:35Z",
67+
"nvd_published_at": "2026-04-10T13:16:46Z"
68+
}
69+
}

0 commit comments

Comments
 (0)