CVE-2026-4412

CVE-2026-4412: Authentication Bypass via Asymmetric Key Confusion in TitanWorkflow

AdvisoryMay 18, 2026TitanWorkflow Suite v5.x

Severity Assessment

High Severity

CVSS SCORE8.1/10

Key Confusion Flaws in Distributed Tasks

TitanWorkflow provides enterprise task orchestration across distributed cloud resources. Our team uncovered a flaw where its internal authorization check handles tokens using mismatched cryptographic algorithm definitions, allowing complete privilege escalation.

Attack Progression

By acquiring the target's public RSA validation key from an open discovery endpoint, an adversary can sign forged tokens locally using an HMAC-SHA256 signature layer. The target validation framework interprets the key string symmetrically, authenticating malicious payloads without error barriers.

JWTKey ConfusionAuth Bypass

Related Intelligence

Further exploration based on cross-referenced content.

tools

ODIJWT v6.0: Advanced Offensive JWT Toolkit

An elite offensive security workstation utility engineered to automate the auditing, forgery, and exploit simulation of JSON Web Token verification primitives.

April 15, 2026

blog

Breaking JWT Identity Primitives: Common Cryptographic Misconfigurations

An operational analysis of JSON Web Token verification flaws, covering key confusion vectors and algorithm switching vulnerabilities.

May 14, 2026

research

CVE-2025-8492: SAML Signature Wrapping leading to Auth Bypass in CoreIdentity SSO

An architectural analysis of how XML signature wrapping (XSW) allows attackers to forge administrative SAML assertions in CoreIdentity.

November 4, 2025

Establishing Connection...