CVE-2025-47411
HIGHApache StreamPipes <= 0.97.0 - Privilege Escalation via JWT Token Manipulation
Title source: llmDescription
A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over the application by manipulating JWT tokens, which can lead to data tampering, unauthorized access and other security issues. This issue affects Apache StreamPipes: through 0.97.0. Users are recommended to upgrade to version 0.98.0, which fixes the issue.
References (2)
Core 2
Core References
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/lngko4ht2ok3o0rk9h0clgm4kb0lmt36
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/12/29/14
Scores
CVSS v3
8.1
EPSS
0.1479
EPSS Percentile
96.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-269
Status
published
Products (2)
apache/streampipes
0.69.0 - 0.98.0
org.apache.streampipes/streampipes-parent
0.69.0 - 0.98.0Maven
Published
Jan 01, 2026
Tracked Since
Feb 18, 2026