{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-56425/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-22T12:25:00.416Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-56425","@id":"https://www.cve.org/CVERecord?id=CVE-2026-56425","description":"The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol.\n\n\nThe application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer heade"},"products":[{"@id":"cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-22T12:25:00.416Z"}]}