nOAuth Exploit Enables Full Account Takeover of Entra Cross-Tenant SaaS Applications

A severe security flaw, dubbed nOAuth, has been identified in certain software-as-a-service (SaaS) applications integrated with Microsoft Entra ID, potentially allowing attackers to achieve full account takeover across tenant boundaries.

Research conducted by Semperis, disclosed on June 26, 2025, revealed that 9 out of 104 tested applications approximately 9% within the Microsoft Entra App Gallery were vulnerable to this exploit.

Critical Vulnerability Exposes SaaS Apps

The nOAuth vulnerability exploits a critical authentication misconfiguration in OpenID Connect (OIDC) implementations, where developers use mutable attributes like email addresses as user identifiers.

Since Entra ID permits unverified email addresses, attackers can impersonate legitimate users by manipulating these attributes in a separate tenant, gaining unauthorized access to sensitive data and enabling persistence and lateral movement within the compromised application.

The nOAuth exploit is alarmingly straightforward, requiring only access to an Entra tenant and ...