Jwt

An unauthenticated attacker can exploit a vulnerability in the PHP JWT Library's PBES2AESKW::unwrapKey() function when processing JWE tokens that use PBES2-HS*+A*KW algorithms by crafting a JWE with an excessively large 'p2c' (PBKDF2 iteration count) parameter in the JOSE header, forcing the server to perform an unbounded and CPU-intensive PBKDF2 computation, resulting in a CPU-amplification denial of service.

A Time-of-Check/Time-of-Use (TOCTOU) vulnerability exists in the `JWSVerifier` and `JWEDecrypter` components of the `web-token/jwt-framework` and `web-token/jwt-library` PHP packages, allowing an attacker to override the integrity-protected `alg` parameter from the unprotected header, leading to authentication bypass and unauthorized access.

Praisonai-platform versions up to and including 0.1.4 are vulnerable to a critical authentication bypass stemming from a hardcoded JWT signing secret ('dev-secret-change-me') and a bypassed production guard, allowing unauthenticated attackers to forge JSON Web Tokens (JWTs) and impersonate any user, leading to complete access, privilege escalation to workspace owner, and potential resource destruction.

A public exploit is available for CVE-2026-29000, a critical authentication bypass vulnerability in pac4j's JWT implementation, allowing attackers to forge admin tokens without a valid signature by exploiting flaws in the library's handling of unsigned tokens and JWE-wrapped tokens.

The HAXcms Node.js backend contains two cryptographic implementation errors in the `hmacBase64()` function that allow an unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request.

Portainer's authentication middleware accepts JWT bearer tokens passed as the `?token=<JWT>` URL query parameter on any authenticated API endpoint, leading to JWT leakage to logs and referrers, where a leaked token grants the full privileges of the user it was issued to, until the token expires.

A vulnerability in Fleet versions prior to 4.82.0 allows authentication tokens from any Azure AD tenant to be accepted, enabling unauthorized device enrollment and MDM API access due to improper JWT signature validation, tracked as CVE-2026-24899.

A critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (CVE-2026-27478), allowing attackers to impersonate any user by forging JWTs with a self-controlled issuer and exchanging them for valid access tokens, granting unauthorized access to catalogs and other resources.

A server-side authentication bypass vulnerability exists in opentelemetry-collector-contrib's azureauthextension versions 0.124.0 through 0.150.0, allowing attackers with a valid Azure access token to authenticate to any OpenTelemetry receiver that uses `auth: azure_auth` due to improper JWT validation.

The fast-jwt library fails to validate the 'crit' header, allowing attackers to bypass security policies and potentially achieve split-brain verification in mixed-library environments.

The fast-jwt library is vulnerable to JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key due to an incomplete fix for CVE-2023-48223, allowing attackers to bypass intended security measures by exploiting leading whitespace in the RSA public key, enabling attackers to sign arbitrary payloads that will be accepted by the verifier, potentially leading to privilege escalation.

A critical vulnerability in the fast-jwt library allows attackers to forge JWTs by exploiting the acceptance of empty HMAC secrets in the async key resolver, leading to authentication bypass.

Note Mark is vulnerable to a JWT secret weakness that allows for full account takeover via token forgery by accepting secrets as short as 1 byte, enabling attackers to crack the signing secret offline and forge valid JWTs for any user.

The `budibase:auth` cookie in Budibase is set without the `httpOnly` flag, enabling attackers with XSS to steal JWTs and gain persistent access to user accounts.