CVE-2026-22723: Cloudfoundry UAA has logic error in the token revocation endpoint implementation

March 5, 2026 (updated March 9, 2026)

Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment v48.7.0 to v54.10.0.

References

github.com/advisories/GHSA-6wcw-r64p-qrrw
github.com/cloudfoundry/uaa
github.com/cloudfoundry/uaa/commit/74c88235b5bc6e61752624700e91f61fd724dfcd
github.com/cloudfoundry/uaa/releases/tag/v78.8.0
nvd.nist.gov/vuln/detail/CVE-2026-22723
www.cloudfoundry.org/blog/cve-2026-22723-uaa-user-token-revocation

Code Behaviors & Features

Detect and mitigate CVE-2026-22723 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →