## https://sploitus.com/exploit?id=AC8BA49C-6B0C-5FC3-A311-C5C14C8864A6
# CVE-2026-50338
Spring Cloud Azure B2C Resource Server Cross-Issuer Authentication Bypass
## Description
`AadB2cResourceServerAutoConfiguration` in `spring-cloud-azure-autoconfigure`
builds a `JwtDecoder` that trusts six AAD-line issuers
(`login.microsoftonline.com`, `sts.windows.net`, `sts.chinacloudapi.cn`, v1 and
v2 each) inherited from `AadTrustedIssuerRepository` via
`AadB2cTrustedIssuerRepository.java:30`. It installs no `tid` claim validator,
and the `aud` predicate uses `containsAll` (vacuously true on empty audiences).
An attacker with an AAD app registration in the same tenant mints a
`client_credentials` token whose `iss` is `https://sts.windows.net//`
and whose `aud` matches the B2C app's client-id. The B2C resource server
accepts it because the AAD issuer is in its trusted set and no further claim
validation rejects the cross-identity-system token.
This is the B2C twin of CVE-2026-33117 (AAD resource server). PR #49033 fixed
the AAD path; the B2C path was not touched until PR #49252 (merged 2026-06-02,
released in the July 2026 Security Update).
With `tenant-id=common`, any Entra tenant's token is accepted.
Affected: `spring-cloud-azure-starter-active-directory-b2c` \
--client-id \
--client-secret \
--victim-api
# Without MSAL (raw HTTP token request):
python3 poc.py \
--target http://localhost:8080/profile \
--tenant-id \
--client-id \
--client-secret \
--victim-api \
--no-msal
# Verbose output (full token claims and response):
python3 poc.py ... -v
```
The attacker app registration needs:
- A client secret
- An API permission for the victim B2C app's client-id (or a scope under it)
## Requirements
- Python 3.8+, `msal`, `requests`
- An Entra ID tenant with an app registration (attacker role)
- A Spring Boot app using `spring-cloud-azure-starter-active-directory-b2c`
<= 5.19.0 as the target
## Files
| File | Description |
|------|-------------|
| `poc.py` | Python PoC: mints AAD token, sends to B2C endpoint, reports bypass |
| `README.md` | Vulnerability details and usage |
| `LICENSE` | GPLv3 license |
## References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50338
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117
- https://johannes-moeller.dev/blog/cve-2026-50338-spring-cloud-azure-b2c-cross-issuer
- https://github.com/Azure/azure-sdk-for-java/pull/49252
- https://github.com/Azure/azure-sdk-for-java/pull/49033
## Legal Notice
This project is released under the GNU GPLv3.
It is provided for defensive security research, education, and authorized
testing. Do not use this code against systems or services without explicit
permission from the owner.
Unauthorized use may violate applicable law. The authors do not grant permission
to test third-party systems and are not responsible for misuse.
See the LICENSE file for warranty and liability terms.