High
resolved
resolved
Mint Oauth2 access token for targeted user
Bug reported by Timothy Leung was disclosed at July 23, 2025, 12:06 am | Improper Authentication - Generic
The vulnerability allowed a group owner to create an application that was trusted by default, bypassing CSRF controls for the authorization flow. This enabled the minting of access tokens for targeted users without their consent.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
