AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-5x9f-6vg5-qg4m: Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token

highvulnerability

security

Source: GitHub Advisory DatabaseJune 5, 2026CVE-2026-45720

Summary

Omni has a TOCTOU race condition (a timing bug where two operations that should be atomic happen separately, allowing a race between them) in its SAML authentication system. An attacker who intercepts a single-use SAML session token can send multiple concurrent requests with that token, and because the system checks if the token is used and then marks it used in two separate steps rather than one atomic operation, both requests can pass validation, allowing the attacker to authenticate as the victim multiple times.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

June 5, 2026

Classification

Attack SophisticationModerate

Affected Packages

github.com/siderolabs/omni@>= 1.7.0, < 1.7.3 (fixed: 1.7.3)github.com/siderolabs/omni@< 1.6.6 (fixed: 1.6.6)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-5x9f-6vg5-qg4m

First tracked: June 5, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%