CVE-2026-27478
📋 TL;DR
This critical authentication bypass vulnerability in Unity Catalog allows attackers to forge JWTs with arbitrary issuer claims to bypass authentication. Any system running Unity Catalog 0.4.0 or earlier with the token exchange endpoint exposed is affected, potentially allowing unauthorized access to sensitive data and AI assets.
💻 Affected Systems
- Unity Catalog
📦 What is this software?
Unitycatalog by Unitycatalog
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative access to Unity Catalog, exfiltrate all data assets, manipulate AI models, and pivot to connected systems.
Likely Case
Unauthorized access to sensitive data assets and AI models stored in Unity Catalog, potentially leading to data theft, manipulation, or denial of service.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts from reaching vulnerable endpoints.
🎯 Exploit Status
The vulnerability is straightforward to exploit by crafting JWTs with arbitrary issuer claims. No authentication is required to reach the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.4.1 or later
Vendor Advisory: https://github.com/unitycatalog/unitycatalog/security/advisories/GHSA-qqcj-rghw-829x
Restart Required: Yes
Instructions:
1. Upgrade Unity Catalog to version 0.4.1 or later. 2. Restart all Unity Catalog services. 3. Verify the fix by testing authentication with valid and invalid JWTs.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to the vulnerable endpoint using firewall rules or network policies.
iptables -A INPUT -p tcp --dport [UNITY_CATALOG_PORT] -m string --string "/api/1.0/unity-control/auth/tokens" --algo bm -j DROP
Reverse Proxy Validation
allImplement issuer validation at a reverse proxy layer before requests reach Unity Catalog.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Unity Catalog from untrusted networks
- Deploy a WAF or API gateway with JWT validation rules to block malicious requests
🔍 How to Verify
Check if Vulnerable:
Check Unity Catalog version and test if the token exchange endpoint accepts JWTs with untrusted issuer claims.Check Version:
Check Unity Catalog deployment configuration or container image tags for version information.Verify Fix Applied:
After patching, verify that JWTs with untrusted issuer claims are rejected and only validated issuer JWTs are accepted.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with unusual issuer claims
- Successful authentications from unexpected identity providers
- High volume of requests to /api/1.0/unity-control/auth/tokens
Network Indicators:
- Unusual traffic patterns to the token exchange endpoint
- Requests containing JWTs with non-standard issuer URLs
SIEM Query:
source="unity-catalog" AND (uri_path="/api/1.0/unity-control/auth/tokens" AND (status=200 OR jwt_issuer NOT IN ["trusted-issuers"]))