Improper Enforcement of Locked Accounts in WebUI (SSO) in Kiuwan SAST on-premise (KOP) & cloud/SaaS

Title

Improper Enforcement of Locked Accounts in WebUI (SSO)

Product

Kiuwan SAST on-premise (KOP) & cloud/SaaS

Vulnerable Version

<2.8.2509.4

Fixed Version

2.8.2509.4

CVE Number

CVE-2026-24069

Impact

medium

Homepage

https://www.kiuwan.com/

Found

31.03.2025

By

Bernhard Gründling, Fabian Würfl, Johannes Greil (Office Vienna) | SEC Consult Vulnerability Lab

Management summary

Kiuwan SAST did not properly enforce the configuration of locked accounts and allowed a login to the WebUI through SSO authentication, even though the locally mapped Kiuwan account was disabled.

Vendor description

"Thorough code inspection is essential for designing secure software products. While your development team may not have time to comb through every line of code, Kiuwan does. For 20 years, it has been the choice of developers to scan code automatically and remediate defects according to security standards like OWASP,
CWE, SANS, and CERT.

Static application security testing (SAST) scans for security flaws in the source code without running the program. It is a white-box testing method that is the counterpart to dynamic application software testing (DAST), which tests web applications for run-time vulnerabilities. [...]

Source: https://www.kiuwan.com/code-security-sast/

Business recommendation

The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

1) Improper Enforcement of Locked Accounts in WebUI (SSO) (CVE-2026-24069)

Kiuwan offers the possibility to enable single sign-on (SSO) for authentication, e.g. through Microsoft ADFS or Azure to authenticate against an active directory. It needs to map the AD user accounts with locally configured accounts for authorization purposes, e.g. to configure the roles and access to applications. SSO users have the local logon disabled and there is no password set, authentication only works via SSO then.

It was found out that the user is still able to login at the Kiuwan WebUI via SSO, even if the Kiuwan mapped account has been disabled in the user settings by an admin. The login does not work in the scanner agent (KLA - Kiuwan Local Analyzer) though. There the authorization check seems to be verifying the validity of the account first and throws the error message "Failed to authenticate using Single sign-on".

Proof of concept

1) Improper Enforcement of Locked Accounts in WebUI (SSO) (CVE-2026-24069)

No specific PoC is necessary. An SSO login is possible even after disabling the Kiuwan mapped user account in the Kiuwan user admin settings. 

Steps to reproduce:

  1. Disable user in Kiuwan user settings
  2. Authenticate via SSO, e.g. through Microsoft ADFS
  3. Login is possible in the Kiuwan WebUI

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test:

  • 2.8.2412.0

Vendor contact timeline

2025-04-02 Contacting vendor through official Kiuwan ticket system (kiuwan.zendesk.com). Kiuwan support responds that they will take a look into our submission. Support sends us a few details regarding SSO authentication.
2025-04-03 Informing the vendor that we know how SSO auth in Kiuwan works and our vulnerability exploits the improper enforcement of locked accounts.
2025-04-15 Vendor informs us that the issue has been escalated to R&D.
2025-07-29 Vendor has resolved the issue in the latest Kiuwan Cloud release.
2025-07-29 Asking the vendor regarding the fix for Kiuwan On-Premise. Vendor responds that it is currently being tested for KOP and they will inform us.
2025-11-03 Asking for a status update as we were not informed yet.
2025-11-10 Support team responds that KOP release is expected within the next couple of weeks.
2025-11-24 Issue has been resolved in the latest KOP release.
2025-11-28 Informing vendor that we cannot upgrade/verify the KOP release yet, scheduled for 2026.
2026-04-16 Public release of advisory.

Solution

The security issue has been fixed by the vendor on 29th July 2025 for the Kiuwan Cloud solution.

The vendor provides a patch for the Kiuwan On-Premises version 2.8.2509.4 which can be downloaded from the vendor's installation page:

https://support.kiuwan.com/hc/en-us/articles/36356787260433-Kiuwan-On-Premises-Distributed-Installation-Guide 

Workaround

None

Advisory URL

https://sec-consult.com/vulnerability-lab/ 

 

EOF Bernhard Gründling, Johannes Greil, Fabian Würfl / @2026

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices.

Back