resolved
CVE-2026-9545: exposing HTTP/3 early data
Bug reported by Eunsoo Kim was disclosed at June 24, 2026, 6:24 am | Improper Certificate Validation
resolved
CVE-2026-11856: cross-origin Digest auth state leak
Bug reported by John was disclosed at June 24, 2026, 6:21 am | Information Exposure Through Sent Data
resolved
Taskcluster web-server OAuth2 authorization codes are reusable and the exchange handler checks the wrong expiry column
Bug reported by Anshuman Bhartiya was disclosed at June 23, 2026, 12:37 pm | Authentication Bypass by Capture-replay
The Taskcluster web-server's OAuth2 token-exchange handler did not consume authorization codes and did not enforce the authorization-code expiry. A leaked authorization code could be replayed to mint additional bridge access tokens for the original user, past the 10-minute window required by the OAuth2 standard. The expiry check in the token-exchange handler and the bridge-token-to-credentials handler read the wrong expiry column, allowing expired codes to remain usable until the daily cleanup cron deleted them.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
