Client applications blindly trust external OAuth servers without verification

9/10 Critical

In multi-tenant or SSO scenarios, client applications often fail to verify that authorization data (email, user profile) actually comes from the OAuth server configured for that user's account. A malicious OAuth server can return forged credentials, enabling account takeover.

OAuth 2.0 Single Sign-On

Sources

https://www.vaadata.com/blog/understanding-oauth-2-0-and-its-common-vulnerabilities/

Collection History

Query: “What are the most common pain points with OAuth 2.0 for developers in 2025?”3/31/2026

However, it is crucial that the client application server verifies that the OAuth server providing this information actually belongs to the server configured for the user's account...the client application should never blindly trust the external OAuth server without verifying the data...If the client application does not check the correspondence between the email address and the OAuth server, an attacker could take control of another user's account.

Created: 3/31/2026Updated: 3/31/2026