Is Jwt Attack affected by EUVD-2026-17498?

The appsup-dart/jose library (versions before 0.3.5+1) contains a critical JWT authentication bypass vulnerability that allows attackers to forge valid authentication tokens without possessing legitimate credentials.

EUVD-2026-17498

| CVE-2026-34240 HIGH

2026-03-31 GitHub_M

GHSA-vm9r-h74p-hg97

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 31, 2026 - 16:00 euvd

EUVD-2026-17498

Analysis Generated

Mar 31, 2026 - 16:00 vuln.today

CVE Published

Mar 31, 2026 - 15:44 nvd

HIGH 7.5

Description

JOSE is a Javascript Object Signing and Encryption (JOSE) library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk). The vulnerability exists because key selection could treat header-provided jwk as a verification candidate even when that key was not present in the trusted key store. Since JOSE headers are untrusted input, an attacker could exploit this by creating a token payload, embedding an attacker-controlled public key in the header, and signing with the matching private key. Applications using affected versions for token verification are impacted. This issue has been patched in version 0.3.5+1. A workaround for this issue involves rejecting tokens where header jwk is present unless that jwk matches a key already present in the application's trusted key store.

Analysis

JWT token forgery in appsup-dart/jose library (versions prior to 0.3.5+1) enables remote attackers to bypass authentication by embedding attacker-controlled public keys in JOSE headers. The library incorrectly accepts header-supplied 'jwk' parameters as trusted verification keys without validating they exist in the application's trusted keystore, allowing unauthenticated attackers to sign arbitrary tokens with their own key pairs. …

Remediation

Within 24 hours: inventory all applications and services using appsup-dart/jose library and document current versions in use; immediately restrict network access to affected services where feasible. Within 7 days: establish contact with the appsup-dart project to confirm availability of version 0.3.5+1 or later; if available, prepare patching in a non-production environment for validation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

EUVD-2026-17498 vulnerability details – vuln.today

Back

EUVD-2026-17498

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-17498

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code