CVE-2026-24069 Kiuwan CVE debrief

Who should care

Organizations using Kiuwan SAST for code security analysis, particularly those with federated identity and automated user lifecycle management where account disablement is a critical access control mechanism

Technical summary

Kiuwan SAST fails to properly validate account status during SSO authentication, allowing locally disabled accounts to retain or regain application access. The authorization check does not adequately correlate SSO identity assertions with local account state, resulting in a logic flaw where disablement actions are not enforced at the authentication boundary. This affects both cloud-hosted and on-premise deployments, with on-premise versions requiring update to 2.8.2509.4 or later.

Defensive priority

medium

Recommended defensive actions

• Review Kiuwan SAST deployment type (Cloud vs. on-premise) and verify version against 2.8.2509.4 for on-premise installations
• Audit currently disabled accounts with SSO mappings to identify potential unauthorized access during exposure window
• Verify SSO integration configuration enforces real-time account status checks rather than cached or periodic synchronization
• Implement compensating monitoring for authentication events from accounts marked disabled in local user stores
• Coordinate with identity provider administrators to ensure account disablement propagates through SAML/OIDC assertions where applicable

Evidence notes

The vulnerability description indicates improper authorization (CWE-863) for SSO-mapped accounts where local disablement does not invalidate active SSO sessions or prevent re-authentication. Affected versions are explicitly bounded: Kiuwan Cloud (fixed) and Kiuwan SAST on-premise versions prior to 2.8.2509.4. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) reflects network attack vector with low privileges required, yielding medium severity.

Official resources