SEC Consult has disclosed a security vulnerability in Kiuwan SAST (on-premise and cloud versions) regarding the improper enforcement of locked accounts when using Single Sign-On (SSO). Identified as CVE-2026-24069, this flaw allows users with disabled local accounts to successfully authenticate and access the Kiuwan WebUI if SSO mechanisms like Microsoft ADFS or Azure AD are utilized.
While the Kiuwan Local Analyzer (KLA) correctly validates account status and denies access to disabled users, the WebUI fails to perform this secondary authorization check. This discrepancy could lead to unauthorized access to source code analysis results by users whose access should have been revoked. Patches have been released for both the cloud and on-premise versions (v2.8.2509.4).
