Skip to content

Bug Report: [SECURITY] OIDC Connector bundles vulnerable nimbus-jose-jwt #102

Open
Open
Bug Report: [SECURITY] OIDC Connector bundles vulnerable nimbus-jose-jwt#102
Assignees
artur-mal
Labels
Status: AcceptedConfirmed defect or accepted improvement to implement, issue has been escalated to Platform DevType: BugLabel issue as a bug defect
@lprimak

Description

@lprimak
lprimak
opened on Feb 20, 2026

Brief Summary

fish.payara.security.connectors:security-connector-oidc-client:4.0.0.Alpha3
bundles nimbus-jose-jwt via the shade plugin, which is flagging as having CVE / vulnerability.
This is brought in by Payara which makes the whole thing flag as moderate severity

Expected Outcome

security connector needs to be upgraded with fixed nimbus-jose-jwt module

Current Outcome

Payara is being flagged as moderate vuln

Reproducer

N/A

Operating System

Any

JDK Version

Any

Ecosystem Tool

Security Connectors

Metadata

Metadata

Assignees

Labels

Status: AcceptedConfirmed defect or accepted improvement to implement, issue has been escalated to Platform DevType: BugLabel issue as a bug defect

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions