resolved
CVE-2026-9545: exposing HTTP/3 early data
Bug reported by Eunsoo Kim was disclosed at June 24, 2026, 6:24 am | Improper Certificate Validation
resolved
CVE-2026-11856: cross-origin Digest auth state leak
Bug reported by John was disclosed at June 24, 2026, 6:21 am | Information Exposure Through Sent Data
resolved
Taskcluster web-server OAuth2 authorization codes are reusable and the exchange handler checks the wrong expiry column
Bug reported by Anshuman Bhartiya was disclosed at June 23, 2026, 12:37 pm | Authentication Bypass by Capture-replay
The Taskcluster web-server's OAuth2 token-exchange handler did not consume authorization codes and did not enforce the authorization-code expiry. A leaked authorization code could be replayed to mint additional bridge access tokens for the original user, past the 10-minute window required by the OAuth2 standard. The expiry check in the token-exchange handler and the bridge-token-to-credentials handler read the wrong expiry column, allowing expired codes to remain usable until the daily cleanup cron deleted them.