CVE-2026-24069 Overview
CVE-2026-24069 is an Improper Authorization vulnerability (CWE-863) affecting Kiuwan SAST, a static application security testing platform. The vulnerability allows locally disabled user accounts to continue accessing the application when authentication is performed through Single Sign-On (SSO). This improper authorization check creates a security gap where user account status is not properly validated during SSO login flows, effectively bypassing account disablement controls.
Kiuwan Cloud was affected by this vulnerability, and Kiuwan SAST on-premise (KOP) versions prior to 2.8.2509.4 are vulnerable. Organizations relying on SSO integration with Kiuwan SAST should assess their exposure and apply available patches.
Critical Impact
Disabled user accounts can bypass local account controls and maintain unauthorized access to the Kiuwan SAST application through SSO authentication, potentially allowing former employees or revoked users to access sensitive source code analysis data.
Affected Products
- Kiuwan Cloud (affected)
- Kiuwan SAST on-premise (KOP) versions before 2.8.2509.4
Discovery Timeline
- 2026-04-14 - CVE-2026-24069 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-24069
Vulnerability Analysis
This vulnerability represents an Improper Authorization flaw where the Kiuwan SAST application fails to properly enforce local account status when users authenticate via SSO. In typical SSO implementations, identity providers handle authentication while the application maintains authorization decisions including account enablement status.
The root issue lies in the disconnect between the SSO authentication flow and the local user management system. When an administrator disables a mapped user account within Kiuwan SAST, the expectation is that the user should no longer be able to access the application. However, the SSO login process does not properly check or enforce this local disabled status, allowing the user to continue accessing the application despite being disabled locally.
This has significant implications for organizations using Kiuwan SAST for static code analysis, as disabled accounts may still access sensitive security findings, source code vulnerabilities, and compliance reports.
Root Cause
The vulnerability stems from improper synchronization between SSO-based authentication and local authorization controls. When processing SSO login requests, the application validates the user's identity through the external identity provider but fails to check whether the corresponding local user account has been disabled. This creates a bypass condition where the local account status is effectively ignored during SSO authentication flows.
Attack Vector
An attacker with a disabled Kiuwan SAST user account can exploit this vulnerability by continuing to authenticate through the organization's SSO provider. Since the identity provider may still have the user's credentials active (especially in cases where user termination processes are not fully synchronized), the attacker can:
- Navigate to the Kiuwan SAST login page
- Select the SSO authentication option
- Authenticate with valid SSO credentials
- Gain access to the application despite having a locally disabled account
This attack requires the user to have previously been a legitimate user with a mapped SSO account and for the SSO provider to still accept their credentials.
Detection Methods for CVE-2026-24069
Indicators of Compromise
- Successful login events from user accounts that have been marked as disabled in the Kiuwan SAST user management interface
- Authentication audit logs showing SSO logins for accounts with a "disabled" or "inactive" status in local user databases
- Access to sensitive security reports or source code analysis data by accounts that should have been revoked
Detection Strategies
- Review Kiuwan SAST access logs and correlate with local user account status to identify disabled accounts that have logged in via SSO
- Implement monitoring alerts for login events from any user account flagged as disabled in the application's user management system
- Cross-reference SSO provider authentication logs with Kiuwan SAST local account status to detect discrepancies
- Audit user session data to identify active sessions belonging to disabled accounts
Monitoring Recommendations
- Enable comprehensive audit logging for all authentication events in Kiuwan SAST
- Configure SIEM integration to alert on login events from accounts with disabled status
- Implement periodic reconciliation between identity provider user status and Kiuwan SAST local account status
- Monitor for unusual access patterns from accounts that were recently disabled
How to Mitigate CVE-2026-24069
Immediate Actions Required
- Upgrade Kiuwan SAST on-premise (KOP) installations to version 2.8.2509.4 or later
- For Kiuwan Cloud users, verify with the vendor that patches have been applied to the cloud service
- Review all currently disabled user accounts and verify they do not have active sessions
- Audit SSO configurations to ensure proper user lifecycle management integration
- Consider temporarily disabling SSO authentication until patches are applied if feasible
Patch Information
For on-premise deployments, update to Kiuwan SAST on-premise (KOP) version 2.8.2509.4 or later, which addresses this improper authorization issue. Cloud deployments should contact Kiuwan support to verify patch status. Additional technical details are available in the SEC Consult KiuwanLock Analysis and the Full Disclosure April 2026 Post.
Workarounds
- Disable SSO authentication and require local authentication only until patches can be applied
- Implement a manual process to remove or delete disabled user accounts from the SSO user mapping rather than simply disabling them
- Configure the identity provider to also disable or remove the user when they are disabled in Kiuwan SAST
- Establish session termination procedures that invalidate all active sessions when a user account is disabled
- Regularly audit and purge inactive or disabled user accounts from the system entirely
# Configuration example for reviewing disabled user accounts
# Check Kiuwan user status and validate against SSO mappings
# Consult Kiuwan documentation for specific commands
# Ensure all disabled accounts are also removed from SSO user mappings
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
