Identity and Access Management remains one of the most critical control planes in modern enterprise environments. The vulnerabilities observed in February 2026 highlight recurring structural weaknesses in authentication, token validation, and federated trust models. When examined closely, these issues demonstrate that identity failures are rarely caused by broken cryptography, but instead by flawed assumptions around trust boundaries and enforcement logic.

FortiCloud SSO Authentication Bypass

This vulnerability emerged in environments using FortiCloud Single Sign-On with SAML, where insufficient validation of SAML assertions enabled authentication bypass. The core issue was a breakdown in trust between the Identity Provider and the service consuming the assertion. When assertion integrity and origin are not rigorously verified, attackers can impersonate legitimate users without valid credentials. In practice, this allowed unauthorized administrative access to Fortinet management interfaces, creating a direct path to configuration tampering, credential exposure, and persistent control over network infrastructure.

The appropriate mitigation for this class of vulnerability is immediate patching of affected Fortinet components combined with a reassessment of SSO usage on management planes. Administrative access should be isolated behind restricted network paths and monitored with identity-aware logging. Federated authentication must be treated as an extension of the attack surface rather than a security enhancement by default.

Keycloak OIDC Dynamic Client Registration SSRF

Keycloak deployments were impacted by a flaw in OpenID Connect dynamic client registration that allowed arbitrary jwks_uri values to be supplied by clients. This resulted in the identity server making uncontrolled outbound requests, effectively turning it into a server-side request forgery primitive. Although the vulnerability manifests as SSRF, its IAM impact is substantial because identity servers often reside in highly trusted network segments.

Mitigation requires upgrading to patched Keycloak versions and implementing strict outbound traffic controls for identity services. Dynamic client registration should be disabled or heavily restricted unless absolutely required. IAM platforms must operate under the assumption that any external fetch capability can be abused and should therefore be constrained at the network and policy level.

GitLab Multi-Factor Authentication Bypass

A critical GitLab vulnerability allowed multi-factor authentication to be bypassed under specific conditions due to flawed authentication logic. While GitLab is not an IAM platform itself, it acts as a high-value identity consumer, frequently integrated with corporate SSO and holding privileged access tokens. The bypass demonstrated how downstream applications can silently undermine identity assurance even when MFA is enforced at the provider level.

The primary remediation is upgrading to the fixed GitLab releases and enforcing stronger identity guarantees through centralized policies. MFA enforcement should be validated end-to-end, and sensitive services should be protected with conditional access and risk-based authentication rather than relying solely on application-level controls.

Drupal OAuth and OpenID Connect Access Bypass

In Drupal environments using Simple OAuth and OpenID Connect modules, access bypass vulnerabilities were identified due to insufficient token and authorization validation. These issues stem from accepting structurally valid tokens without fully enforcing semantic constraints such as audience, issuer, and scope. As a result, unauthorized users could access protected resources despite appearing unauthenticated in principle.

Resolution involves updating affected modules and enforcing strict token validation rules across all relying parties. OAuth and OpenID Connect integrations must treat tokens as untrusted input until every claim is explicitly validated. Authorization decisions should be centralized and consistent rather than distributed across individual application components.

Azure Windows Admin Center Token Validation Weakness

Research into Azure Windows Admin Center revealed token validation flaws with potential tenant-wide impact. Management interfaces that rely on identity tokens are particularly sensitive to validation errors because a single incorrect assumption can scale across roles and resources. In this case, weaknesses in token handling created conditions where privilege boundaries could be crossed within a tenant.

Mitigation focuses on applying vendor updates, enforcing privileged identity management practices, and strengthening conditional access controls for administrative tools. Management interfaces must be considered part of the IAM control plane and protected accordingly with strict identity verification and continuous monitoring.

Conclusion

The vulnerabilities disclosed in February 2026 collectively reinforce a critical lesson for identity security. IAM systems fail not when algorithms break, but when trust is granted too broadly and validation is treated as optional. Authentication bypasses, token misuse, and identity-driven SSRF all point to the same root cause: insufficient skepticism in identity flows. Organizations that treat IAM as passive infrastructure rather than high-risk security control will continue to face disproportionate impact when these systems fail.

Sources and Official References

Fortinet Product Security Incident Response Team advisory on FortiCloud SSO authentication bypass https://www.fortiguard.com/psirt/FG-IR-26-060

Cybersecurity and Infrastructure Security Agency guidance on active exploitation of Fortinet authentication bypass vulnerabilities https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability

National Vulnerability Database entry for Keycloak OpenID Connect dynamic client registration SSRF vulnerability https://nvd.nist.gov/vuln/detail/CVE-2026-1180

GitLab official security release and coordinated disclosure summary for multi-factor authentication bypass https://about.gitlab.com/releases/

Qualys Application Security Research publication covering Drupal OAuth2 and OpenID Connect access bypass detections https://notifications.qualys.com/notifications/2026/02/01/application-security-detections-published-in-january-2026

Cymulate Research Labs technical analysis of Azure Windows Admin Center token validation weakness https://cymulate.com/blog/cve-2026-20965-azure-windows-admin-center-tenant-wide-rce