Skip to main content

Jwt Attack CVE-2026-34240

| EUVDEUVD-2026-17498 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-03-31 GitHub_M GHSA-vm9r-h74p-hg97
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:10 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.3.5+1
EUVD ID Assigned
Mar 31, 2026 - 16:00 euvd
EUVD-2026-17498
Analysis Generated
Mar 31, 2026 - 16:00 vuln.today
CVE Published
Mar 31, 2026 - 15:44 nvd
HIGH 7.5

DescriptionGitHub Advisory

JOSE is a Javascript Object Signing and Encryption (JOSE) library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk). The vulnerability exists because key selection could treat header-provided jwk as a verification candidate even when that key was not present in the trusted key store. Since JOSE headers are untrusted input, an attacker could exploit this by creating a token payload, embedding an attacker-controlled public key in the header, and signing with the matching private key. Applications using affected versions for token verification are impacted. This issue has been patched in version 0.3.5+1. A workaround for this issue involves rejecting tokens where header jwk is present unless that jwk matches a key already present in the application's trusted key store.

AnalysisAI

JWT token forgery in appsup-dart/jose library (versions prior to 0.3.5+1) enables remote attackers to bypass authentication by embedding attacker-controlled public keys in JOSE headers. The library incorrectly accepts header-supplied 'jwk' parameters as trusted verification keys without validating they exist in the application's trusted keystore, allowing unauthenticated attackers to sign arbitrary tokens with their own key pairs. EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only standard JWT manipulation tools.

Technical ContextAI

JOSE (JavaScript Object Signing and Encryption) libraries implement RFC 7515-7518 standards for JWT token verification. This vulnerability (CWE-347: Improper Verification of Cryptographic Signature) affects the appsup-dart/jose Dart implementation. During JWS/JWT signature verification, the library's key selection logic improperly treats the 'jwk' (JSON Web Key) parameter in the JOSE header as a valid verification candidate. JOSE headers are user-controlled input transmitted with each token, making them untrusted data. The library fails to enforce a critical security boundary: verification keys must come exclusively from the application's pre-configured trusted keystore, never from token headers. This allows algorithmic confusion where the attacker dictates which key verifies their signature, fundamentally breaking the trust model of asymmetric cryptography in authentication systems.

RemediationAI

Upgrade to appsup-dart/jose version 0.3.5+1 or later, which implements proper key validation to reject header-supplied jwk parameters that do not match trusted keystore entries. The fix is available via the GitHub commit at https://github.com/appsup-dart/jose/commit/b07799aac1f56a9a21483feac026272aab30cc5d. For environments unable to immediately upgrade, implement application-layer validation to reject any JWT tokens containing a 'jwk' parameter in the JOSE header, or verify that any header-supplied jwk cryptographically matches a key already present in your application's trusted key configuration. Review authentication logs for anomalous token validations that may indicate exploitation attempts prior to patching.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

CVE-2026-34240 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy