Kiuwan SAST allows SSO logins for accounts that have been locally disabled, meaning any user marked as disabled in the user directory can still authenticate through the WebUI SSO flow and access the application. This flaw falls under Authentication Failure (CWE-863) and can lead to unauthorized use of the system by accounts that administrators have explicitly disabled, potentially exposing sensitive project data or settings. The vulnerability does not grant elevated privileges beyond what the account normally holds, but it bypasses an explicit security boundary established by disabling the account.

The flaw affects Kiuwan Cloud and the on‑premises Kiuwan SAST on‑premise (KOP) platform. For Kiuwan Cloud the security issue was resolved with the release dated 29 July 2025; for the on‑premise product, the fix is included in version 2.8.2509.4 and later. Any deployment running a version prior to the respective fixes is vulnerable.

The CVSS base score of 5.4 marks it as a moderate severity issue, and the EPSS score of less than 1% indicates low exploitation probability. It is not listed in the CISA KEV catalog. The likely attack vector is remote, via the SSO authentication service: an attacker or malicious user with knowledge of a disabled account’s credentials can log in through the SSO flow and evade typical access controls. Because the flaw directly undermines account status enforcement, rapid remediation is advisable to prevent unauthorized access.