CVE-2020-7692

HIGH

Google OAuth Client Library for Java < 1.31.0 - Incorrect Authorization via Missing PKCE Implementation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-7692. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary The repository contains only GitHub issue templates, CI/CD scripts, and build configurations for the Google OAuth Java client. There is no exploit code, vulnerability analysis, or proof-of-concept related to CVE-2020-7692.

Description

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2020-7692-google-oauth-java-client-vulnerable

The repository contains only GitHub issue templates, CI/CD scripts, and build configurations for the Google OAuth Java client. There is no exploit code, vulnerability analysis, or proof-of-concept related to CVE-2020-7692.

Classification
Stub 95%
Attack Type
N/a
Complexity
N/a
Reliability
N/a
Target: google-oauth-java-client
No auth needed
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2020-7692-google-oauth-java-client-vulnerable

The repository contains only GitHub issue templates, CI/CD scripts, and build configurations for the Google OAuth Java client library. No exploit code, vulnerability details, or proof-of-concept related to CVE-2020-7692 are present.

Classification
Stub 90%
Attack Type
Other
Complexity
N/a
Reliability
N/a
Target: google-oauth-java-client
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276
Exploit, Third Party Advisory x_refsource_misc
https://tools.ietf.org/html/rfc8252%23section-8.1
Exploit, Third Party Advisory x_refsource_misc
https://tools.ietf.org/html/rfc7636%23section-1

Scores

CVSS v3 7.4
EPSS 0.0159
EPSS Percentile 72.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-863
Status published
Products (2)
com.google.oauth-client/google-oauth-client 0 - 1.31.0Maven
google/oauth_client_library_for_java < 1.31.0
Published Jul 09, 2020
Tracked Since Feb 18, 2026