Products
Spotfire Server versions affected:
Spotfire Server 14.0.12 and earlier, 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1, 14.4.2, 14.5.0, 14.6.0, 14.6.1, 14.6.2, 14.7.0, 14.8.0
Summary
Details
Spotfire Security Advisory: July 14, 2026 - Spotfire - CVE-2026-8590
Spotfire OAuth2 PKCE Bypass for public clients
Last revised: —
CVE-2026-8590
Source: Cloud Software Group Inc
Description
The Spotfire Server component contains a vulnerability in the PKCE handling of its OAuth 2.0 authorization server.
Impact
Successful exploitation may allow an unauthenticated attacker to impersonate another user. Exploitation requires user interaction and specific attack conditions.
CVSS v4.0 Base Score : 8.7 / High
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N)
Resolution
Cloud Software Group has released updated versions of the affected systems which address this issue.
Components:
Spotfire Server 14.0.12 and earlier: upgrade to 14.0.13 or higher
Spotfire Server 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1, 14.4.2, 14.5.0, 14.6.0, 14.6.1, 14.6.2: upgrade to 14.6.3 or higher
Spotfire Server 14.7.0, 14.8.0: upgrade to 15.0.0 or higher
These components are included in the following products:
Spotfire Enterprise 14.0.12 and earlier: upgrade to 14.0.13 or higher
Spotfire Enterprise 14.4.2, 14.5.0, 14.6.0, 14.6.1, 14.6.2: upgrade to 14.6.3 or higher
Spotfire Enterprise 14.7.0, 14.8.0: upgrade to 15.0.0 or higher
Spotfire Enterprise with External Consumers 14.0.12 and earlier: upgrade to 14.0.13 or higher
Spotfire Enterprise with External Consumers 14.5.0, 14.6.0, 14.6.1, 14.6.2: upgrade to 14.6.3 or higher
Spotfire Enterprise with External Consumers 14.7.0, 14.8.0: upgrade to 15.0.0 or higher
Spotfire on Kubernetes 4.2.0 and earlier: upgrade to 4.3.0 or higher
Spotfire on Kubernetes 5.0.x, 6.0.x: upgrade to 7.0.0 or higher
Environment
Products Affected
The following components are affected:
Spotfire Server 14.0.12 and earlier
Spotfire Server 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1, 14.4.2, 14.5.0, 14.6.0, 14.6.1, 14.6.2
Spotfire Server 14.7.0, 14.8.0
These components are included in the following products:
Spotfire Enterprise 14.0.12 and earlier
Spotfire Enterprise 14.4.2, 14.5.0, 14.6.0, 14.6.1, 14.6.2
Spotfire Enterprise 14.7.0, 14.8.0
Spotfire Enterprise with External Consumers 14.0.12 and earlier
Spotfire Enterprise with External Consumers 14.5.0, 14.6.0, 14.6.1, 14.6.2
Spotfire Enterprise with External Consumers 14.7.0, 14.8.0
Spotfire on Kubernetes 4.2.0 and earlier
Spotfire on Kubernetes 5.0.x, 6.0.x
Comments
0 comments
Article is closed for comments.