|
|
DAILY BRIEF · MAY 14, 2026
|
|
Nothing's on fire, but one of these deserves your attention fast. The OpenTelemetry Collector's Azure auth extension doesn't actually validate incoming JWTs, so anyone with any valid Azure token can waltz past your collector's authentication. CVSS 8.1, not yet exploited in the wild. Behind that, two SOGo SQL injection bugs and a couple of lower-priority fixes round out the day.
|
| |
SECURE BOOT CERTIFICATE DEADLINE
41 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
|
TOP THREAT TODAY
|
|
An attacker who holds any valid Azure access token (for ARM, Graph, Key Vault, Storage, whatever) can authenticate to your OpenTelemetry collector's receivers if they're protected by the azureauthextension. The extension never actually validates the incoming JWT. It just mints its own token using a scope pulled from the client's Host header, then does a simple string comparison. Pick the right Host value, send a token you already have, and you're in. Tokens stay valid for hours.
Who's affected: Anyone running OpenTelemetry Collector with the azureauthextension (versions 0.124.0 through 0.150.0) protecting receiver endpoints
| |
Patch within 24 hours.
Upgrade azureauthextension to 0.151.0 or later. If you can't upgrade immediately, remove the azure_auth authenticator from your receivers and restrict network access to the collector until you can.
|
NVD
Ref 1
|
|
|
CVE-2026-46446
CVSS 7.1
|
HIGH
|
SOGo before 5.12.7 has a SQL injection bug in its password-change flow when you're using PostgreSQL or MariaDB with cleartext password storage. An attacker who can hit the password change endpoint can inject SQL through the c_password parameter. This only applies if your SOGo instance stores passwords in cleartext, which narrows the blast radius but makes it worse if you're in that camp.
Affects: SOGo sysadmins running versions before 5.12.7 with PostgreSQL or MariaDB backends and cleartext password storage enabled
| |
Patch this week.
Upgrade SOGo to 5.12.7 or later. If you're storing passwords in cleartext, switch to hashed storage while you're at it.
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-46445
CVSS 7.1
|
HIGH
|
A separate SQL injection bug exists in SOGo before 5.12.7 when PostgreSQL is the backend. Unlike CVE-2026-46446, this one isn't limited to the cleartext-password scenario. If you're running SOGo with PostgreSQL, you're exposed.
Affects: SOGo sysadmins running versions before 5.12.7 with a PostgreSQL backend
| |
Patch this week.
Upgrade SOGo to 5.12.7 or later.
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-33376
CVSS 7.4
|
HIGH
|
If you use IPv6 addresses in your Auth Proxy allow-list without specifying a subnet mask, the system defaults to /32 instead of /128. That means your allow-list is effectively meaningless for IPv6, since /32 covers an enormous range and lets unauthorized sources through. Only the Auth Proxy feature is affected. Okta, SAML, LDAP, and other auth methods are fine.
Affects: Anyone using the Auth Proxy feature with IPv6 allow-lists who hasn't explicitly specified subnet masks
| |
Patch this week.
Add explicit /128 masks to all IPv6 addresses in your Auth Proxy allow-list right now as a mitigation. Then apply the vendor patch when available.
|
NVD
Ref 1
|
|
CVE-2026-30906
CVSS 7.8
|
HIGH
|
The Zoom Rooms installer for Windows before version 7.0.0 searches for libraries in untrusted directories. A local attacker who can place a malicious DLL in the right path can escalate privileges when the installer runs. This requires local access and an authenticated user to trigger the install, so remote exploitation isn't a factor.
Affects: Windows sysadmins deploying Zoom Rooms on conference room PCs or kiosks running versions before 7.0.0
| |
Monitor and patch.
Update Zoom Rooms for Windows to version 7.0.0 or later. Until then, lock down write permissions on directories in the installer's search path.
|
NVD
Ref 1
|
|
Community Signal Check
|
Fortinet FortiSandbox: critical unauthenticated authorization bypass
Fortinet dropped advisories for a missing-authorization bug in FortiSandbox (CVE-2026-26083) that lets unauthenticated attackers hit restricted GUI features and pull sandbox analysis data. Additional flaws cover OS command injection in FortiAP and dangerous function usage in FortiAnalyzer/FortiManager. If you run any of these on-prem, patch the critical FortiSandbox fix first.
Fortinet PSIRT
•
vendor_advisory
|
|
Ivanti patches 6 flaws across Secure Access Client, Xtraction, vTM, and Endpoint Manager
Ivanti published fixes for 6 vulnerabilities across 4 products. The worst is a SQL injection-to-RCE chain in Endpoint Manager's web console, plus a path traversal in Xtraction that can stage web shells. No exploitation in the wild yet, but Ivanti's track record means you should patch quickly rather than wait for attackers to catch up.
Ivanti
•
vendor_advisory
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
