In Cloudfoundry UAA versions 77.30.0 to 78.7.0 and Cloudfoundry Deployment releases 48.7.0 to 54.10.0, a logic error in the token revocation endpoint causes tokens to not be revoked when a user requests revocation. The flaw results in a failure of the revocation process, allowing a token that was meant to be invalidated to continue to grant access. Without revocation, an attacker who had cached or stolen a valid token or who is a compromised user could use the token indefinitely, leading to persistence of elevated privileges.

This vulnerability affects the Cloud Foundry UAA component and Cloud Foundry deployment releases. The specific impacted product families are Cloudfoundry Foundation UAA versions 77.30.0 through 78.7.0 and Cloudfoundry Deployment releases 48.7.0 through 54.10.0. The vulnerability is present in all 7.x versions between those ranges but does not affect other Cloud Foundry components beyond UAA or earlier/ later releases outside the indicated ranges.

The CVSS base score is 6.5, indicating moderate severity, and the EPSS score is less than 1%, showing a low likelihood of exploitation at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to trigger the revocation endpoint or otherwise influence the revocation logic, which is typically only available to authenticated users controlling a token. Because the flaw does not allow arbitrary code execution or privilege escalation beyond token misuse, the primary risk is continued elevated privileges if a token is already compromised.