What is the CVSS score of CVE-2026-34240?

CVE-2026-34240 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Jwt Attack are affected by CVE-2026-34240?

The appsup-dart/jose library (versions before 0.3.5+1) contains a JWT token forgery vulnerability that allows unauthenticated attackers to bypass authentication by injecting malicious public keys…. A patch is available.

Jwt Attack CVE-2026-34240

EUVD-2026-17498 HIGH

Improper Verification of Cryptographic Signature (CWE-347)

2026-03-31 GitHub_M

GHSA-vm9r-h74p-hg97

Information Disclosure Jwt Attack

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:10 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

0.3.5+1

EUVD ID Assigned

Mar 31, 2026 - 16:00 euvd

EUVD-2026-17498

Analysis Generated

Mar 31, 2026 - 16:00 vuln.today

CVE Published

Mar 31, 2026 - 15:44 nvd

HIGH 7.5

DescriptionNVD

JOSE is a Javascript Object Signing and Encryption (JOSE) library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk). The vulnerability exists because key selection could treat header-provided jwk as a verification candidate even when that key was not present in the trusted key store. Since JOSE headers are untrusted input, an attacker could exploit this by creating a token payload, embedding an attacker-controlled public key in the header, and signing with the matching private key. Applications using affected versions for token verification are impacted. This issue has been patched in version 0.3.5+1. A workaround for this issue involves rejecting tokens where header jwk is present unless that jwk matches a key already present in the application's trusted key store.

AnalysisAI

JWT token forgery in appsup-dart/jose library (versions prior to 0.3.5+1) enables remote attackers to bypass authentication by embedding attacker-controlled public keys in JOSE headers. The library incorrectly accepts header-supplied 'jwk' parameters as trusted verification keys without validating they exist in the application's trusted keystore, allowing unauthenticated attackers to sign arbitrary tokens with their own key pairs. …

RemediationAI

Within 24 hours: Identify all applications and services using appsup-dart/jose library versions prior to 0.3.5+1 and assess their authentication criticality. Within 7 days: Upgrade all affected applications to appsup-dart/jose version 0.3.5+1 or later and conduct full regression testing of authentication flows. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-34240 vulnerability details – vuln.today

Back

Jwt Attack CVE-2026-34240

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code