Jwt Attack
Monthly
Authentication bypass via forged JWTs in DataEase, an open-source data visualization and BI tool, allows remote unauthenticated attackers to impersonate any user (including administrators) in enterprise deployments before version 2.10.23. The enterprise TokenFilter passes attacker-supplied X-DE-TOKEN values to a validator that checks only token presence and length, then decodes the JWT without verifying its signature, so tokens with a chosen uid and oid are accepted whenever the enterprise license is valid (licenseValid=true). CVSS 4.0 rates this 9.5 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Security feature bypass in Microsoft .NET (shipped via Visual Studio 2022 17.12/17.14 and Visual Studio 2026 18.7) lets a remote, unauthenticated attacker defeat a cryptographic-signature check over the network — most likely a JWT/token signature verification flaw per the vendor 'Jwt Attack' and 'Authentication Bypass' tags. By forging or tampering with signed data the runtime fails to validate correctly, an attacker can impersonate trusted principals and undermine an authentication or integrity control. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in Siemens Opcenter X (all versions before V2604) lets an unauthenticated remote attacker forge JSON Web Tokens by exploiting improper validation of the algorithm field in the JWT header. Because the application trusts the attacker-controlled 'alg' value, an attacker can craft tokens that impersonate any user - including administrators - yielding full unauthorized access to the manufacturing operations platform. Rated CVSS 10.0 with a scope-changing critical impact; no public exploit identified at time of analysis and it is not currently in CISA KEV.
Arbitrary code execution in the EVBEE DC-80 EV charging station stems from a firmware update mechanism that ships without cryptographic signature validation (CWE-347), letting an attacker who reaches the update capability push a malicious firmware image and have it executed by the device. Reported by DIVD (advisory DIVD-2026-00001) with a CVSS 4.0 base score of 9.3 and a 'Jwt Attack' angle noted in triage tags, the flaw grants full compromise of the charger. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.
Payment bypass in the CorvusPay WooCommerce Payment Gateway plugin (all versions up to and including 2.7.4) enables unauthenticated remote attackers to fraudulently mark any pending WooCommerce order as fully paid, obtaining goods or services without actual payment. The `corvuspay_success_handler` function registers a publicly accessible REST endpoint where a cryptographic signature validation is performed but its boolean result is silently discarded - written only to a debug log - causing `$order->payment_complete()` to execute unconditionally regardless of signature validity. WooCommerce order IDs are sequential integers, making every pending order on an affected store trivially enumerable with no prior knowledge required. No public exploit code or CISA KEV listing was identified at time of analysis.
Signature verification bypass in HAVELSAN Liman MYS (versions before release.Master.1107) lets remote attackers forge the source/authenticity of data - tagged as a JWT attack - enabling identity spoofing and likely authentication bypass. Per CVSS the vector is network-based and unauthenticated (AV:N/PR:N) with high impact to confidentiality and integrity. No public exploit is identified at time of analysis and it is not on CISA KEV.
Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) arises from an HMAC signature ambiguity in the Actions Artifacts V4 signed-URL scheme, letting an authenticated low-privilege user reuse a validly signed URL outside its intended repository or task context. An attacker with access to a single Actions task can read private artifacts belonging to other repositories and write upload-state for tasks they do not own, crossing the repository trust boundary (CVSS 9.6, scope-changed). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Firmware signature validation bypass in WatchGuard Fireware OS lets an authenticated administrator upload a tampered firmware image through the backup/restore feature and have it installed despite failing integrity checks. Affecting Fireware OS branches 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2025.6.2, the flaw (CWE-347) enables persistent malicious code on the appliance. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high integrity/confidentiality/availability impact and the appliance's privileged network position make it significant.
Signature forgery and denial-of-service in Libreswan's IKEv1 RSA authentication allows a remote unauthenticated attacker to impersonate an IKE peer or crash the daemon. The flaw lives in RSA_authenticate_hash_signature_raw_rsa(), which fails to validate the length of the authentication hash inside a PKCS #1 (RFC 2313) encoded SIG payload; when a peer uses a small RSA public exponent such as e=3, a Bleichenbacher-style forgery becomes feasible. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the impersonation impact against IKEv1 raw-RSA authentication makes this a high-severity issue (CVSS 8.1); remote code execution is explicitly not possible and X.509 certificate verification is unaffected.
Peer impersonation and denial-of-service in Libreswan IPsec/IKEv2 arises from improper DER/ASN.1 digest verification in RSA_authenticate_hash_signature_pkcs1_1_5_rsa() when the IKEv2 AUTH payload uses RSASSA-PKCS1-v1_5 signatures. A remote unauthenticated attacker can mount a Bleichenbacher-style forgery to impersonate a peer when small RSA public exponents (e.g., e=3) are in use, or send an undersized hash to trip an assertion that aborts and restarts the daemon for sustained DoS. A vendor patch is available and there is no public exploit identified at time of analysis; RCE is not possible and X.509 certificate verification of the peer is unaffected.
Improper cryptographic signature verification in the CubeSpace CW0057 Reaction Wheel firmware (versions prior to 5.0.20) permits an attacker with physical access to flash arbitrary, unsigned firmware onto the device without any authentication. This affects a safety-critical spacecraft attitude control component used in CubeSat and small satellite missions, where unauthorized firmware replacement could cause mission-critical failures including attitude loss or uncontrolled spacecraft behavior. A proof-of-concept exploit exists (indicated by E:P in the CVSS 4.0 supplemental vector); no active exploitation has been confirmed by CISA KEV at time of analysis.
Cross-tenant JWT authentication bypass in Centrifugo (v3 through v6) lets an attacker holding a valid token for one allowed issuer/tenant authenticate as a different issuer/tenant when the server uses dynamic JWKS endpoint templates. The flaw stems from the JWKS cache and singleflight lookup being keyed only by the JWT header 'kid', so a key fetched for tenant A is reused to verify a token claiming tenant B whenever both JWKS documents share the same 'kid' and tenant A's key is cached first. Publicly available exploit code exists in the form of a reporter-supplied Go unit-test PoC; there is no evidence of active exploitation, and the CVSS base score is 8.2 (AC:H, PR:L, scope-changed).
Signature verification policy bypass in the sigstore npm package allows attackers to have unauthorized signing certificates accepted despite explicit OID-based restrictions. The documented `certificateOIDs` verify option - used by `sigstore.verify()` and `createVerifier()` to require specific Fulcio/workload-identity extension OIDs - is silently discarded during policy construction, so those extension constraints are never enforced while callers believe they are. Publicly available exploit code exists (a proof-of-concept in the advisory), but there is no evidence of active exploitation; EPSS/KEV not indicated in the source data.
Certificate timestamp validation bypass in sigstore-java 2.0.0 allows an attacker who has already exfiltrated an ephemeral Sigstore signing key to reuse an expired Fulcio certificate, causing bundle verification to succeed when it should fail. PR #1008 erroneously removed the check that bounds a Rekor V1 log entry's `integratedTime` against the Fulcio certificate's validity window, a regression only present in the 2.0.0 release and fixed in 2.1.0. No public exploit identified at time of analysis beyond the vendor-provided proof-of-concept test bundle in sigstore-conformance; CVSS base score of 2.0 reflects the extremely narrow, high-privilege, local-only attack conditions required.
Firmware update signature bypass in Hitachi Virtual Storage Platform One Block models 23, 24, 26, and 28 allows an authenticated remote attacker to supply unvalidated firmware packages, potentially compromising storage array integrity and availability. The root cause is CWE-347 (Improper Verification of Cryptographic Signature), and the 'Jwt Attack' tag suggests the firmware validation chain relies on a JWT-based signing mechanism that can be circumvented under specific conditions. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the self-disclosure by Hitachi with a coordinated patch release indicates vendor-confirmed severity.
Signature type-binding bypass in @sigstore/core (npm) allows an attacker who controls the `payloadType` field of a DSSE envelope to substitute every ASCII character with a Unicode variant whose low byte matches, producing PAE bytes identical to a legitimate signature and causing verification to pass for a mismatched content type. All versions up to and including 3.2.0 are affected; a working proof-of-concept is included in the GitHub security advisory GHSA-jfc7-64v2-mr8c. The vulnerability is not confirmed in the CISA KEV catalog, but exploit code is publicly available, making exploitation straightforward for any attacker positioned to craft or relay DSSE envelopes.
JWT algorithm confusion in Netflix Lemur 1.9.0 allows an attacker to control which signing algorithm the server trusts by supplying an arbitrary alg value in the unverified token header, which is passed directly to pyjwt.decode() instead of a server-pinned allowlist. On current PyJWT 2.x deployments the standalone impact is limited to audit-log blinding and a durable algorithm-downgrade primitive; full account takeover requires chaining with a separate LEMUR_TOKEN_SECRET disclosure vulnerability, after which a forged HS256 admin JWT yields HTTP 200 with role=admin. A public proof-of-concept walkthrough exists (asciinema); no active exploitation is confirmed in CISA KEV.
Signer confusion in wolfSSL's PKCS7_verify implementation allows a crafted PKCS#7 message to report a trusted certificate as the signer even when an attacker-controlled certificate produced the actual signature. Any application using wolfSSL for PKCS#7 signature verification - including JWT workflows flagged in the CVE tags - may incorrectly authorize operations as if from a trusted party. No public exploit has been identified at time of analysis, but the upstream fix is available as GitHub PR #10203 and the vulnerability is straightforwardly reproducible by anyone familiar with PKCS#7 certificate bundle structure.
PKCS#12 MAC verification in wolfSSL accepts truncated or zero-length MACs because the comparison uses an attacker-controlled length field parsed from the input structure rather than the expected digest size, completely defeating HMAC integrity protection on PKCS#12 key stores. Any wolfSSL-based application that parses PKCS#12 files from untrusted sources - including certificate import endpoints, VPN provisioning services, or key management systems - can be tricked into accepting a structurally tampered PKCS#12 bundle as MAC-verified. No public exploit code or CISA KEV listing has been identified; the upstream fix is available as GitHub PR #10192 but a tagged patched release has not been independently confirmed.
Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; Red Hat rates it 8.1 (High).
HMAC tag forgery in wolfSSL's OpenSSL-compatibility layer allows a zero-length or arbitrarily truncated HMAC tag to pass verification in EVP_DigestVerifyFinal, undermining message authentication for any application relying on this API path. Applications compiled with the OPENSSL_EXTRA flag that use EVP_DigestVerifyFinal for HMAC verification - including JWT validation libraries and message authentication flows - are affected across all currently-known wolfSSL versions. The root length check only enforced that the supplied tag did not exceed the MAC size, not that it equaled it, so an attacker controlling the tag buffer or length argument could present an empty signature and bypass integrity verification. No public exploit has been identified at time of analysis, and CISA KEV does not list this CVE.
Unauthenticated authentication bypass in OpenAM Community Edition (Open Identity Platform fork) through version 16.0.6 lets a network attacker spoof a RADIUS Access-Accept response and obtain a valid OpenAM session for any RADIUS-mapped username, without knowing the shared secret. The flaw stems from the RADIUS client accepting the first inbound UDP datagram as authoritative while skipping source, identifier, and Response Authenticator checks, making it materially easier to exploit than BlastRADIUS (CVE-2024-3596) since no MD5 chosen-prefix forgery is needed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix is confirmed in version 16.1.1.
Signature-verification bypass in wolfSSL's OpenSSL compatibility layer allows a degenerate (certs-only) PKCS#7 object - one with empty signerInfos and no actual signature - to be falsely reported as verified by wolfSSL_PKCS7_verify(). Applications using the PKCS7_verify() compat API to authenticate attacker-supplied PKCS#7/CMS bundles can be tricked into treating unsigned content as authentic, undermining integrity guarantees. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the underlying defect is a classic improper-signature-verification (CWE-347) issue with a CVSS 4.0 base score of 8.2.
Authenticated remote code execution in ATEN Unizon stems from a broken cryptographic signature check in the updateWar method (reachable via doCryptoHugeFileToFile), letting a high-privileged remote attacker push a forged WAR update and run arbitrary code as SYSTEM. The flaw (CWE-347) was reported by Trend Micro ZDI as ZDI-CAN-28590 and carries a CVSS 3.0 base score of 7.2; no public exploit identified at time of analysis.
Authentication bypass in Rocket.Chat's SAML service provider lets attackers log in as arbitrary users when SAML is enabled but the IdP certificate field is left at its empty shipped default, which causes signature validation to be silently skipped. All versions prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 are affected, and the CVSS 4.0 base score is 9.3 (Critical). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the fail-open behavior is reachable in a near-default configuration, making it a high-priority fix.
Linked-Data Signature normalization in Mastodon's ActivityPub federation layer permits activity spoofing against servers running versions prior to 4.5.10, 4.4.17, and 4.3.23. An attacker can take a legitimately signed JSON-LD activity from a real third-party actor, re-arrange its structure, and relay it to a target Mastodon instance where it passes signature validation but is interpreted with altered semantic meaning. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, though the integrity impact on federated social graph trust is meaningful for operators of public-facing instances.
Signature substitution in CoreWCF's WS-Security message processing allows a remote unauthenticated attacker to replace the server's cryptographic integrity check with a signature of the attacker's choosing, effectively forging authenticated SOAP messages. Affected versions of CoreWCF.Primitives perform a document-wide lookup for ds:Signature elements rather than scoping verification to the wsse:Security header, so an attacker-injected signature in a preceding SOAP header is found and verified first. Exploitation is constrained by two non-default server-side prerequisites, limiting widespread risk on generic deployments, but the integrity bypass is complete where those conditions are met. No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis.
Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT signature verification (CWE-347), allowing remote attackers to forge authentication tokens without valid credentials and gain unauthorized access to protected LMS resources. The CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N confirms fully unauthenticated, low-complexity network exploitation, enabling an attacker to impersonate enrolled students or instructors and read or modify course-related data. No public exploit code or active exploitation has been confirmed at time of analysis, and the vulnerability is not listed in CISA KEV.
Algorithm-confusion in Symfony's Mailomat webhook parser allows an attacker to downgrade the HMAC primitive used for signature verification, bypassing webhook authentication. Symfony packages symfony/mailomat-mailer and symfony/symfony versions 7.2.0 through 7.4.12 and 8.0.0 through 8.0.12 accept an attacker-controlled algorithm field from the inbound X-MOM-Webhook-Signature request header and pass it directly to PHP's hash_hmac(), enabling an adversary who can exploit cryptographic weaknesses in weaker HMAC primitives (e.g., HMAC-MD4 existential forgery) to inject fraudulent webhook payloads. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attackers to forge OIDC identity tokens and obtain fully authenticated technician sessions, because the server accepts ID tokens without verifying their cryptographic signature. Publicly available exploit code exists and the flaw can also bypass MFA in some configurations, making vulnerable remote-support deployments a high-priority target despite no current CISA KEV listing.
TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager), allowing network attackers in a man-in-the-middle position to present a valid certificate for any host and intercept supposedly encrypted traffic. Affects all Netty versions prior to 4.1.135.Final and 4.2.15.Final; no public exploit identified at time of analysis and EPSS is very low (0.04%), but the defect bypasses a core TLS protection that Netty 4.2 explicitly advertises as enabled by default.
Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remote attackers to forge SAML assertions and impersonate users by exploiting a logic flaw where XML encryption was accepted as a substitute for XML signature verification. Because the Service Provider's public encryption key is published in SAML metadata, any party - not just a trusted Identity Provider - can craft encrypted-but-unsigned assertions that UAA will decrypt and trust, breaking the identity-assurance guarantee of SAML. No public exploit identified at time of analysis, but the cryptographic confusion (CWE-347) is well-understood and the impact (full identity spoofing into the platform IAM) is severe.
Signature metadata trust bypass in Apache CXF's JwsJsonContainerRequestFilter allows an attacker who can send JWS JSON-signed requests to inject unvalidated metadata - such as Content-Type or protected HTTP headers - by placing it in the first signature entry of a multi-signature JWS JSON token, even when that entry's signature was never verified. Affected deployments using the cxf-rt-rs-security-jose-jaxrs module may incorrectly trust attacker-controlled content type or header values, steering JAX-RS entity parsing or signed-header consistency checks in unintended ways. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-released patches 4.2.2 and 4.1.7 were published June 10, 2026.
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticated attackers to forge RPC commands as the connected administrator by bypassing signature verification in the UpdraftPlus_Remote_Communications_V2::wp_loaded handler. A flaw in how unchecked decryption return values are handled collapses the encryption key to an all-zero value, enabling arbitrary plugin upload and activation. No public exploit identified at time of analysis, but the plugin's massive WordPress install base and trivial post-bypass impact make this a high-priority patch.
Authentication bypass in NSA Ghidra versions prior to 12.1 allows any holder of a valid CA-signed certificate to impersonate arbitrary users by submitting their public certificate alongside a null signature to PKIAuthenticationModule.authenticate(). Successful exploitation yields privilege escalation, tampering of repository access controls, exfiltration of shared reverse-engineering databases, and persistent compromise of the Ghidra server. No public exploit identified at time of analysis, but a vendor patch and detailed advisory from VulnCheck are available.
Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS) to submit crafted SAML Responses, LogoutRequests, and LogoutResponses to a Service Provider endpoint and leverage the SP's private key for decryption without presenting a valid XML signature. Affected deployments span Spring Security 5.7.x through 7.0.x that use SAML-based SSO or Single Logout. No public exploit has been identified at time of analysis and EPSS data was not provided, but the attack class (XML encryption oracle) is well-documented in SAML security research and carries meaningful risk in identity-sensitive environments.
Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privileged attackers to forge identity information by capturing a valid signed message and submitting modified signed XML documents that the verifier accepts. The scope-changing flaw (CVSS 9.9) enables unauthorized access to sensitive user data and disruption of normal operations across trust boundaries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
Late signature validation in Siemens kas (pip/kas >= 4.8, < 5.3) allows an attacker who has already compromised a referenced upstream repository to substitute the cryptographic key used to validate that repository's tag signatures, effectively bypassing integrity checks entirely. Because kas processes and applies configuration includes from external repositories before verifying their signatures, a malicious repository can redirect the signature-validation key to one under attacker control. No public exploit code has been identified at time of analysis, and exploitation requires a highly specific multi-condition scenario including prior supply-chain access to a referenced upstream repo. Vendor-released patch version 5.3 resolves all related attack vectors.
Private ECDH key recovery in OP-TEE prior to version 4.11.0 is achievable by a local attacker who can invoke TEE_DeriveKey with approximately 30-40 crafted public key values lying off the target elliptic curve. Because the implementation omits point validation - failing to verify that (X, Y) satisfies Y^2 ≡ X^3 + aX + b mod P for the specified curve - each malformed call leaks a residue d mod r, where d is the private key and r is the order of the attacker-chosen invalid curve. Accumulated residues allow full private key reconstruction via the Chinese Remainder Theorem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the underlying invalid curve attack technique is well-documented in cryptographic literature and reproducible by any skilled attacker with local access.
Cookie context confusion in Django's signed cookie implementation allows a remote low-privileged attacker to substitute a cookie signed in one application context into a different context where a distinct (name, salt) pair produces the same concatenated string. Affected are Django 6.0 before 6.0.6 and Django 5.2 before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be affected. The real-world impact is limited to low-confidence data exposure (VC:L), with no public exploit identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects a low-severity, contextually constrained flaw.
Integrity bypass in Siemens kas (pip/kas < 5.3) allows an attacker who controls a referenced external git repository to substitute arbitrary commit content by creating a branch whose name matches the commit SHA recorded in a kas configuration file. Because kas passed the raw SHA string to `git checkout` without forcing disambiguation to a commit object, git resolves a branch of that name instead of the pinned commit, defeating the integrity guarantee users rely on. The primary impact falls on SHA-256 commit IDs; SHA-1 commits face a related but distinct risk through hash-collision substitution. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Algorithm allow-list bypass in PyJWT 2.9.0-2.12.1 permits an attacker who controls a registered JWK/JWKS private key to circumvent caller-enforced algorithm restrictions during JWT signature verification. The library correctly checks the token header's alg claim against the caller-supplied allow-list, but then performs the actual cryptographic verification using the algorithm bound to the PyJWK object rather than the header-declared algorithm - creating a exploitable mismatch. Specifically, the documented PyJWKClient.get_signing_key_from_jwt() flow is affected, meaning applications relying on this pattern for algorithm-restricted JWT validation may accept tokens signed with algorithms they explicitly prohibited. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Signature policy bypass in Red Hat Build of Keycloak's JWE request object handling allows unauthenticated remote attackers to inject unauthorized claims into the OpenID Connect authorization flow. When a JWE-encrypted request object is submitted and its decrypted content is raw JSON, Keycloak improperly skips signature verification, violating both OIDC Core and Financial-grade API (FAPI) signing requirements. No public exploit code exists at time of analysis, but the integrity-only impact (CVSS I:H) is directly relevant to authorization trust boundaries, making this high-priority for FAPI-compliant or financial-sector Keycloak deployments.
Cryptographic signature verification bypass in Northern.tech Mender Client 5 (before 5.0.4) allows unauthenticated remote attackers to circumvent JWT-based authentication controls. Tagged as both an Authentication Bypass and a JWT Attack, this CWE-347 flaw means the client fails to properly validate cryptographic signatures on tokens, potentially enabling unauthorized access to protected functionality or data. No public exploit code has been identified at time of analysis, and the low EPSS score of 0.02% (5th percentile) suggests exploitation is not currently widespread.
Arbitrary root code execution in Phoenix Contact PLCnext Control devices (all firmware before 2026.0.3) is reachable by an authenticated low-privileged Engineer user who installs APP packages from the PLCnext Store through the Web-based Management (WBM) interface. Because the device never verifies the integrity or signature of the downloaded app (CWE-347, tagged JWT Attack), a tampered package runs as root and can compromise the integrity and availability of the controller. No public exploit is identified at time of analysis and EPSS is low (0.06%, 18th percentile), but the flaw is network-reachable with low attack complexity and a vendor patch (2026.0.3) is available.
Denial of service in the Go golang.org/x/crypto/ssh library before version 0.52.0 allows unauthenticated remote attackers to exhaust CPU on SSH servers by submitting crafted RSA or DSA public keys with oversized parameters during public key authentication. EPSS is very low (0.03%) and there is no public exploit identified at time of analysis, but the bug is trivial to trigger and the fix has been published by the Go team in CL 781641/781661.
Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.
Authentication bypass in epa4all-client allows MITM attackers positioned within the TI (Telematikinfrastruktur) network to capture SMC-B-signed authentication material by substituting a forged OIDC discovery document. The vulnerability affects all versions prior to 1.2.2 and requires the attacker to intercept TLS connections between the client and Identity Provider. No public exploit identified at time of analysis.
Improper verification of cryptographic signature in the Radeon RGB tool could allow a malicious file placed in the installation directory to be run with elevated privileges potentially leading to. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.
Authentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication controls when the Cloud Authentication Service (CAS) feature is enabled, with the highest risk when CAS is bound to the management interface. The flaw affects PA-Series and VM-Series firewalls as well as Panorama (virtual and M-Series); Cloud NGFW and Prisma Access are not impacted. No public exploit identified at time of analysis, and EPSS rates real-world exploitation probability low at 0.08%, but the high-value target profile and CWE-347 (Improper Verification of Cryptographic Signature) class - combined with the 'Jwt Attack' tag - warrant prompt patching.
Zen Browser's auto-update mechanism delivered unsigned code to all users due to deliberately removed MAR signature verification inherited from Firefox. The browser shipped with Mozilla's updater binary stripped of all cryptographic verification code and served update packages containing zero cryptographic signatures. Compromise of the update server or GitHub Actions pipeline allowed arbitrary code execution on all Zen installations without cryptographic chain-of-trust protection. Version 1.19.9b restores MAR signing with RSA-4096 keys and certificate verification in the updater binary.
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.
Signature verification bypass in bitcoinj-core library allows attackers to forge Bitcoin transaction validations by exploiting fast-path optimization flaws in P2PKH and P2WPKH script execution. Versions 0.15 through 0.17.0 fail to verify that attacker-supplied public keys match the hash committed to in transaction outputs, enabling arbitrary keypairs to satisfy local transaction validation checks. While this does not affect SPV (Simple Payment Verification) nodes that follow proof-of-work without signature verification, applications using the correctlySpends() method for transaction validation or pre-signing checks are vulnerable to accepting fraudulent transactions. Vendor-released patch available in version 0.17.1, fixes confirmed in GitHub commits 2bc5653c and b575a682. No active exploitation confirmed (not in CISA KEV); EPSS data unavailable.
Consensus divergence in Zebra 4.3.1 enables blockchain network partitioning through crafted transparent transactions with invalid sighash types. Insufficient error handling at the Rust-to-C++ FFI boundary causes Zebra to incorrectly accept transactions with undefined hash types by reusing stale buffer data from prior valid signature checks, while zcashd correctly rejects these transactions. Attackers can exploit this by chaining OP_CHECKSIGVERIFY with OP_CHECKSIG opcodes using invalid hash types to trigger acceptance on Zebra nodes but rejection on zcashd nodes, creating a consensus split that could enable double-spend attacks. Vendor-released patch: 4.4.0. No public exploit identified at time of analysis, but the technical mechanism is fully disclosed in the GitHub advisory GHSA-gq4h-3grw-2rhv.
The Go toolchain's module proxy validation can be bypassed by attackers controlling untrusted GOPROXY or GOSUMDB endpoints, allowing delivery of malicious toolchain versions that execute with developer privileges. When the go command downloads a different toolchain version (via GOTOOLCHAIN, go.mod, or go.work directives), a malicious proxy can serve altered toolchains by exploiting checksum database validation logic that incorrectly accepts empty responses. While EPSS indicates only 1% exploitation probability and CISA SSVC marks exploitation status as 'none', the total technical impact rating and network attack vector (AV:N) represent significant supply chain risk for organizations using non-default module proxies. Vendor patch available in Go 1.26.3 and 1.25.10.
Improper cryptographic signature verification in Dolibarr ERP CRM up to version 23.0.2 allows remote attackers to bypass signature validation in the Online Signature Module, potentially forging or manipulating signed transactions. The vulnerability affects the dol_verifyHash function and has been publicly disclosed with exploit code available, though exploitation requires high technical complexity and is not confirmed as actively exploited in production environments.
SAML signature validation in Admidio's Identity Provider implementation can be completely bypassed due to discarded return values in authentication flows. The validateSignature() method returns error strings on failure but both call sites (SSO and Single Logout handlers) discard the return value, allowing unsigned or invalidly-signed SAML requests to proceed. Attackers can forge AuthnRequests to exfiltrate logged-in users' personal data (username, email, real name, role memberships) to attacker-controlled endpoints, or forge LogoutRequests to terminate victim sessions and cascade logout across federated Service Providers. The smc_require_auth_signed configuration setting provides no protection. Public exploit code exists (PoC in GitHub advisory). CVSS 8.2 reflects network-accessible attack with no authentication required, though practical exploitation of the SSO path requires victim to have an active session. No active exploitation confirmed at time of analysis.
Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information
Improper verification of cryptographic signatures in Cesanta Mongoose versions up to 7.20 allows remote attackers to bypass GCM authentication tag validation in the mg_aes_gcm_decrypt function. The vulnerability has high attack complexity and requires no user interaction, but provides only integrity impact (not confidentiality or availability). Publicly available exploit code exists, and vendor has released patched version 7.21.
Signature duplication in AWS Tough TUF client prior to v0.22.0 allows authenticated attackers to bypass threshold signature requirements for delegated role metadata by reusing a single valid signature multiple times. The flaw undermines TUF's multi-signature integrity model, enabling acceptance of forged metadata with reduced cryptographic validation. Vendor patch available (tough-v0.22.0, tuftool-v0.15.0). No public exploit code or active exploitation confirmed at time of analysis, but CVSS 7.0 reflects high integrity impact to both vulnerable and downstream systems.
Missing JWT signature verification in AWS Ops Wheel enables remote unauthenticated attackers to forge administrative tokens and gain complete control over all application data and Cognito user accounts across all tenants. This critical authentication bypass (CVSS 9.8) has a vendor-released patch available via GitHub PR #164. EPSS data not available, but the combination of zero authentication requirements, network attack vector, and multi-tenant data exposure creates immediate exploitation risk for all deployments.
The Nimiq staking contract accepts UpdateValidator transactions that omit proof-of-knowledge validation when updating voting keys, enabling rogue-key attacks against BLS signature aggregation used in Tendermint block justification. An attacker who can predict the next epoch's validator set could forge quorum-appearing block justifications with a single signature. Exploitation is constrained by the requirement to predict future validator set composition via VRF, making real-world attacks unlikely despite the critical cryptographic impact. Vendor-released patch v1.3.0 addresses the vulnerability.
Cryptographic signature verification bypass in ASP.NET Core 10.0 enables remote unauthenticated attackers to forge authentication tokens and gain unauthorized access to protected resources. Tagged as a JWT attack involving authentication bypass, this vulnerability allows complete compromise of confidentiality and integrity without requiring any special conditions (AV:N/AC:L/PR:N/UI:N). Microsoft has released a security update addressing this flaw. No active exploitation confirmed in CISA KEV at time of analysis, though the authentication bypass nature and network-accessible attack surface present significant risk for widely deployed ASP.NET Core applications.
OpenClaw 2026.3.22 through 2026.3.30 contain a signature verification bypass in the Nostr direct message (DM) ingress handler that processes pairing challenges before validating event signatures. Remote unauthenticated attackers can send forged DMs to create bogus pending pairing entries, exhaust shared pairing capacity, and trigger unbounded relay and logging work on the Nostr channel, causing denial of service. No public exploit code or active exploitation has been confirmed; a vendor patch is available in version 2026.3.31 and later.
Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. Affects versions ≤7.0.0 of 'Payment Gateway for Redsys & WooCommerce Lite' WordPress plugin. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation, though EPSS data unavailable. No CISA KEV listing or public POC identified at time of analysis. Vendor patch released in changeset 3501998.
Authentication bypass in Siemens SINEC NMS versions prior to V4.0 SP3 with UMC allows unauthenticated remote attackers to gain unauthorized access due to insufficient user identity validation in the UMC component (CWE-347: Improper Verification of Cryptographic Signature). The vulnerability enables network-based attacks with low complexity requiring no user interaction (CVSS 7.3, AV:N/AC:L/PR:N/UI:N), granting partial access to confidentiality, integrity, and availability. ZDI tracking ID CAN-27564 suggests coordinated disclosure. No active exploitation (CISA KEV) or public exploit code confirmed at time of analysis, though JWT-related authentication bypasses are well-understood attack primitives.
Cryptographic signature bypass in Palo Alto Networks Cortex XSOAR and XSIAM Microsoft Teams integrations (versions 1.5.0 through 1.5.51) allows unauthenticated remote attackers to access and modify protected resources. The vulnerability stems from improper JWT verification (CWE-347), enabling attackers to forge authentication tokens. With CVSS 7.2 (High complexity, network-accessible, no privileges required) and tags indicating JWT attack vectors and information disclosure potential, this represents a critical integration security flaw requiring immediate patching to version 1.5.52 or later.
Signature verification bypass in wolfSSL's ECCSI implementation allows adjacent network attackers to forge cryptographic signatures for any message and identity without authentication. The wc_VerifyEccsiHash function fails to validate that signature scalars r and s fall within the required mathematical range [1, q-1], enabling attackers with knowledge of public constants to craft universally-valid forged signatures. This defeats the cryptographic integrity guarantees of ECCSI-signed data, particularly affecting JWT authentication systems and identity-based cryptographic protocols. No public exploit identified at time of analysis.
Signature verification bypass in BSV Ruby SDK versions 0.3.1 through 0.8.1 allows authenticated attackers to forge blockchain identity certificates. The WalletClient#acquire_certificate method persists certificates without validating certifier signatures in both 'direct' acquisition (where attackers supply all fields including forged signatures) and 'issuance' protocols (where malicious certifier endpoints inject invalid signatures). Forged certificates appear authentic to list_certificates and prove_certificate operations, enabling impersonation attacks. CVSS 8.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible exploitation requiring low-privilege authentication. No public exploit identified at time of analysis.
LightRAG API authentication can be bypassed via JWT algorithm confusion attack, where an attacker forges tokens by specifying 'alg': 'none' in the JWT header to impersonate any user including administrators. The vulnerability exists in the validate_token() method in lightrag/api/auth.py (line 128), which accepts the unsigned 'none' algorithm despite not explicitly permitting it, allowing unauthenticated remote attackers to gain unauthorized access to protected resources. Publicly available proof-of-concept code demonstrates the attack; vendor has released a patch addressing the root cause of improper algorithm validation.
LightRAG's JWT authentication can be bypassed via a hardcoded default secret 'lightrag-jwt-default-secret' when TOKEN_SECRET is not configured. Unauthenticated attackers can forge valid tokens to access protected API endpoints in installations running v1.4.10 with AUTH_ACCOUNTS enabled but TOKEN_SECRET unset. CVSS 7.5 (High) reflects network-accessible confidentiality breach with no authentication required. No public exploit identified at time of analysis, though the hardcoded secret is publicly documented in the vulnerability disclosure. EPSS data not available for this CVE.
Denial of service in rust-rpm-sequoia allows local attackers to crash RPM signature verification by submitting specially crafted RPM files that trigger unhandled errors in OpenPGP parsing, preventing legitimate package management operations. CVSS 4.0 (low severity), local attack vector, non-authenticating. No public exploit code or active exploitation confirmed.
Authentication bypass in OneUptime SAML SSO implementation allows authenticated attackers to impersonate arbitrary users by exploiting XML signature verification logic flaws. Affected versions prior to 10.0.42 decouple signature validation from identity extraction, enabling XML injection attacks where an unsigned assertion with attacker-controlled identity precedes a legitimately signed assertion. EPSS and exploitation signals indicate publicly available exploit code exists with moderate technical complexity (CVSS AC:L, PR:L). No confirmed active exploitation (not in CISA KEV).
Finite-field Diffie-Hellman (FFDH) in Mbed TLS 3.5.x, 3.6.0 through 3.6.5, and TF-PSA-Crypto 1.0 lacks contributory behavior due to improper validation of peer-supplied parameters, allowing an attacker to restrict the shared secret to a small set of predictable values. While the vulnerability does not directly impact TLS (which does not depend on contributory behavior), it poses a significant risk to protocols that do rely on this property, including those where an active network attacker or malicious peer can exploit the weakness. No CVSS score or public exploit code has been assigned at the time of analysis.
JWT token forgery in appsup-dart/jose library (versions prior to 0.3.5+1) enables remote attackers to bypass authentication by embedding attacker-controlled public keys in JOSE headers. The library incorrectly accepts header-supplied 'jwk' parameters as trusted verification keys without validating they exist in the application's trusted keystore, allowing unauthenticated attackers to sign arbitrary tokens with their own key pairs. EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only standard JWT manipulation tools.
Botan cryptography library versions 3.0.0 through 3.10.x fail to verify OCSP response signatures during X.509 certificate path validation, allowing attackers to forge certificate status responses and potentially bypass revocation checks. This integrity bypass affects any application using Botan for TLS or certificate validation and requires network positioning but not authentication. The vulnerability was patched in version 3.11.0.
Zebra cryptocurrency nodes prior to version 4.3.0 can be forced into consensus split by malicious miners who craft blocks containing V5 transactions with matching txids but invalid authorization data. The vulnerability stems from a cache lookup that used ZIP-244 txid (which excludes authorization data) to bypass full verification, allowing nodes to accept blocks with invalid signatures. While this does not enable invalid transaction acceptance, it isolates vulnerable nodes from the Zcash network, creating fork conditions exploitable for service disruption and potential double-spend scenarios against partitioned nodes. No public exploit code or CISA KEV listing exists, but the technical complexity is low for actors with mining capabilities. Affected products are zebrad and zebra-consensus Rust packages supporting Network Upgrade 5 (V5 transactions). Vendor-released patch: Zebra 4.3.0.
Authentication bypass in OpenClaw's Feishu webhook integration (pre-2026.3.12) allows unauthenticated remote attackers to inject forged events and trigger arbitrary downstream tool execution. The vulnerability occurs when administrators configure only verificationToken without encryptKey, enabling attackers to craft malicious webhook payloads that bypass validation. No public exploit identified at time of analysis, though CVSS 8.8 reflects network accessibility (AV:N), zero complexity (AC:L), and no privileges required (PR:N).
The digitalbazaar/forge npm package accepts forged Ed25519 signatures due to missing scalar canonicalization checks, allowing authentication and authorization bypass in applications that rely on signature uniqueness. All versions since Ed25519 implementation are affected (confirmed through version 1.3.3), identified as pkg:npm/node-forge. Publicly available exploit code exists with a complete proof-of-concept demonstrating how attackers can create multiple valid signatures for the same message by adding the group order L to the scalar component S, bypassing deduplication, replay protection, and signed-object canonicalization checks. The vendor has released a patch via commit bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85.
XML Digital Signature validation in russellhaering/goxmldsig library prior to version 1.6.0 can be bypassed due to a Go loop variable capture bug, allowing remote unauthenticated attackers to forge or manipulate XML signatures without detection. The vulnerability affects applications using Go versions before 1.22 or older go.mod configurations, enabling integrity violations in SAML authentication, document signing, and other XML-DSig implementations. EPSS score of 0.02% suggests low observed exploitation probability, with no confirmed active exploitation (not in CISA KEV). Vendor patch available in version 1.6.0.
A downgrade vulnerability affecting Intel-based Mac computers allows malicious applications to bypass code-signing restrictions and access user-sensitive data. The vulnerability impacts macOS Sequoia (versions before 15.7.5), macOS Sonoma (versions before 14.8.5), macOS Tahoe (versions before 26.3 and 26.4), and affects all Intel-based Mac systems running vulnerable versions. An attacker can craft an application that exploits insufficient code-signing validation to downgrade security protections and exfiltrate sensitive user information.
Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 certificates by supplying malicious domain parameters (g=1, y=1, r=1) that cause verification functions to incorrectly validate any message hash. This actively undermines authentication and integrity checks in applications using the library for JWT validation, certificate verification, or digital signatures. EPSS score is negligible (0.01%) despite proof-of-concept availability, and CISA SSVC classifies this as requiring proof-of-concept but not automatable, indicating targeted exploitation risk rather than widespread scanning.
PuTTY versions up to 0.83 contain a weak authentication vulnerability in the Ed25519 signature verification function (eddsa_verify in crypto/ecc-ssh.c) that allows remote attackers to potentially forge or manipulate digital signatures due to improper validation of Ed25519 signature components. While a public proof-of-concept exploit exists and the vulnerability affects signature verification, the real-world impact remains unproven, with CVSS 3.7 (low severity) and EPSS probability indicating exploitation is difficult and requires high complexity. The vendor (PuTTY developers) has already released a patch addressing this issue.
A cryptographic signature verification flaw exists in tinyssh's Ed25519 signature handler (crypto_sign_ed25519_tinyssh.c) that allows improper validation of signatures, potentially enabling an attacker to forge or bypass signature checks. Affected versions of janmojzis tinyssh up to 20250501 are impacted, with the vulnerability requiring local execution and high attack complexity. A public exploit has been disclosed, and vendor patches are available in version 20260301.
A cryptographic authentication bypass vulnerability in ConnectWise ScreenConnect allows remote attackers who gain access to server-level cryptographic material to authenticate as any user and obtain elevated privileges. The vulnerability affects all ScreenConnect versions prior to 26.1 and carries a CVSS score of 9.0, indicating critical severity. While not currently listed in CISA's KEV catalog and with no public proof-of-concept available, the vulnerability's authentication bypass nature and potential for complete system compromise make it a high-priority patching target.
Private key recovery in Stanford JavaScript Crypto Library (SJCL) ECDH implementation affects all versions prior to 1.0.9, allowing remote unauthenticated attackers to extract a victim's ECDH private key by submitting crafted off-curve public keys and observing the resulting shared-secret outputs. The flaw stems from missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(), combined with dhJavaEc() returning the raw x-coordinate without hashing - providing a direct plaintext oracle. Publicly available exploit code exists (PoC gist by Kr0emer); EPSS is low at 0.02% despite the high confidentiality impact, suggesting limited current opportunistic targeting.
A critical authentication bypass vulnerability in authlib's JWT signature verification allows attackers to forge arbitrary tokens by injecting their own cryptographic keys through the JWT header. The flaw affects all versions of authlib prior to 1.6.9 when applications use key resolution callbacks that can return None (common in JWKS-based authentication flows). A working proof-of-concept exists demonstrating complete authentication bypass, enabling attackers to impersonate any user or assume administrative privileges without valid credentials.
Authentication bypass via forged JWTs in DataEase, an open-source data visualization and BI tool, allows remote unauthenticated attackers to impersonate any user (including administrators) in enterprise deployments before version 2.10.23. The enterprise TokenFilter passes attacker-supplied X-DE-TOKEN values to a validator that checks only token presence and length, then decodes the JWT without verifying its signature, so tokens with a chosen uid and oid are accepted whenever the enterprise license is valid (licenseValid=true). CVSS 4.0 rates this 9.5 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Security feature bypass in Microsoft .NET (shipped via Visual Studio 2022 17.12/17.14 and Visual Studio 2026 18.7) lets a remote, unauthenticated attacker defeat a cryptographic-signature check over the network — most likely a JWT/token signature verification flaw per the vendor 'Jwt Attack' and 'Authentication Bypass' tags. By forging or tampering with signed data the runtime fails to validate correctly, an attacker can impersonate trusted principals and undermine an authentication or integrity control. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in Siemens Opcenter X (all versions before V2604) lets an unauthenticated remote attacker forge JSON Web Tokens by exploiting improper validation of the algorithm field in the JWT header. Because the application trusts the attacker-controlled 'alg' value, an attacker can craft tokens that impersonate any user - including administrators - yielding full unauthorized access to the manufacturing operations platform. Rated CVSS 10.0 with a scope-changing critical impact; no public exploit identified at time of analysis and it is not currently in CISA KEV.
Arbitrary code execution in the EVBEE DC-80 EV charging station stems from a firmware update mechanism that ships without cryptographic signature validation (CWE-347), letting an attacker who reaches the update capability push a malicious firmware image and have it executed by the device. Reported by DIVD (advisory DIVD-2026-00001) with a CVSS 4.0 base score of 9.3 and a 'Jwt Attack' angle noted in triage tags, the flaw grants full compromise of the charger. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.
Payment bypass in the CorvusPay WooCommerce Payment Gateway plugin (all versions up to and including 2.7.4) enables unauthenticated remote attackers to fraudulently mark any pending WooCommerce order as fully paid, obtaining goods or services without actual payment. The `corvuspay_success_handler` function registers a publicly accessible REST endpoint where a cryptographic signature validation is performed but its boolean result is silently discarded - written only to a debug log - causing `$order->payment_complete()` to execute unconditionally regardless of signature validity. WooCommerce order IDs are sequential integers, making every pending order on an affected store trivially enumerable with no prior knowledge required. No public exploit code or CISA KEV listing was identified at time of analysis.
Signature verification bypass in HAVELSAN Liman MYS (versions before release.Master.1107) lets remote attackers forge the source/authenticity of data - tagged as a JWT attack - enabling identity spoofing and likely authentication bypass. Per CVSS the vector is network-based and unauthenticated (AV:N/PR:N) with high impact to confidentiality and integrity. No public exploit is identified at time of analysis and it is not on CISA KEV.
Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) arises from an HMAC signature ambiguity in the Actions Artifacts V4 signed-URL scheme, letting an authenticated low-privilege user reuse a validly signed URL outside its intended repository or task context. An attacker with access to a single Actions task can read private artifacts belonging to other repositories and write upload-state for tasks they do not own, crossing the repository trust boundary (CVSS 9.6, scope-changed). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Firmware signature validation bypass in WatchGuard Fireware OS lets an authenticated administrator upload a tampered firmware image through the backup/restore feature and have it installed despite failing integrity checks. Affecting Fireware OS branches 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2025.6.2, the flaw (CWE-347) enables persistent malicious code on the appliance. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high integrity/confidentiality/availability impact and the appliance's privileged network position make it significant.
Signature forgery and denial-of-service in Libreswan's IKEv1 RSA authentication allows a remote unauthenticated attacker to impersonate an IKE peer or crash the daemon. The flaw lives in RSA_authenticate_hash_signature_raw_rsa(), which fails to validate the length of the authentication hash inside a PKCS #1 (RFC 2313) encoded SIG payload; when a peer uses a small RSA public exponent such as e=3, a Bleichenbacher-style forgery becomes feasible. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the impersonation impact against IKEv1 raw-RSA authentication makes this a high-severity issue (CVSS 8.1); remote code execution is explicitly not possible and X.509 certificate verification is unaffected.
Peer impersonation and denial-of-service in Libreswan IPsec/IKEv2 arises from improper DER/ASN.1 digest verification in RSA_authenticate_hash_signature_pkcs1_1_5_rsa() when the IKEv2 AUTH payload uses RSASSA-PKCS1-v1_5 signatures. A remote unauthenticated attacker can mount a Bleichenbacher-style forgery to impersonate a peer when small RSA public exponents (e.g., e=3) are in use, or send an undersized hash to trip an assertion that aborts and restarts the daemon for sustained DoS. A vendor patch is available and there is no public exploit identified at time of analysis; RCE is not possible and X.509 certificate verification of the peer is unaffected.
Improper cryptographic signature verification in the CubeSpace CW0057 Reaction Wheel firmware (versions prior to 5.0.20) permits an attacker with physical access to flash arbitrary, unsigned firmware onto the device without any authentication. This affects a safety-critical spacecraft attitude control component used in CubeSat and small satellite missions, where unauthorized firmware replacement could cause mission-critical failures including attitude loss or uncontrolled spacecraft behavior. A proof-of-concept exploit exists (indicated by E:P in the CVSS 4.0 supplemental vector); no active exploitation has been confirmed by CISA KEV at time of analysis.
Cross-tenant JWT authentication bypass in Centrifugo (v3 through v6) lets an attacker holding a valid token for one allowed issuer/tenant authenticate as a different issuer/tenant when the server uses dynamic JWKS endpoint templates. The flaw stems from the JWKS cache and singleflight lookup being keyed only by the JWT header 'kid', so a key fetched for tenant A is reused to verify a token claiming tenant B whenever both JWKS documents share the same 'kid' and tenant A's key is cached first. Publicly available exploit code exists in the form of a reporter-supplied Go unit-test PoC; there is no evidence of active exploitation, and the CVSS base score is 8.2 (AC:H, PR:L, scope-changed).
Signature verification policy bypass in the sigstore npm package allows attackers to have unauthorized signing certificates accepted despite explicit OID-based restrictions. The documented `certificateOIDs` verify option - used by `sigstore.verify()` and `createVerifier()` to require specific Fulcio/workload-identity extension OIDs - is silently discarded during policy construction, so those extension constraints are never enforced while callers believe they are. Publicly available exploit code exists (a proof-of-concept in the advisory), but there is no evidence of active exploitation; EPSS/KEV not indicated in the source data.
Certificate timestamp validation bypass in sigstore-java 2.0.0 allows an attacker who has already exfiltrated an ephemeral Sigstore signing key to reuse an expired Fulcio certificate, causing bundle verification to succeed when it should fail. PR #1008 erroneously removed the check that bounds a Rekor V1 log entry's `integratedTime` against the Fulcio certificate's validity window, a regression only present in the 2.0.0 release and fixed in 2.1.0. No public exploit identified at time of analysis beyond the vendor-provided proof-of-concept test bundle in sigstore-conformance; CVSS base score of 2.0 reflects the extremely narrow, high-privilege, local-only attack conditions required.
Firmware update signature bypass in Hitachi Virtual Storage Platform One Block models 23, 24, 26, and 28 allows an authenticated remote attacker to supply unvalidated firmware packages, potentially compromising storage array integrity and availability. The root cause is CWE-347 (Improper Verification of Cryptographic Signature), and the 'Jwt Attack' tag suggests the firmware validation chain relies on a JWT-based signing mechanism that can be circumvented under specific conditions. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the self-disclosure by Hitachi with a coordinated patch release indicates vendor-confirmed severity.
Signature type-binding bypass in @sigstore/core (npm) allows an attacker who controls the `payloadType` field of a DSSE envelope to substitute every ASCII character with a Unicode variant whose low byte matches, producing PAE bytes identical to a legitimate signature and causing verification to pass for a mismatched content type. All versions up to and including 3.2.0 are affected; a working proof-of-concept is included in the GitHub security advisory GHSA-jfc7-64v2-mr8c. The vulnerability is not confirmed in the CISA KEV catalog, but exploit code is publicly available, making exploitation straightforward for any attacker positioned to craft or relay DSSE envelopes.
JWT algorithm confusion in Netflix Lemur 1.9.0 allows an attacker to control which signing algorithm the server trusts by supplying an arbitrary alg value in the unverified token header, which is passed directly to pyjwt.decode() instead of a server-pinned allowlist. On current PyJWT 2.x deployments the standalone impact is limited to audit-log blinding and a durable algorithm-downgrade primitive; full account takeover requires chaining with a separate LEMUR_TOKEN_SECRET disclosure vulnerability, after which a forged HS256 admin JWT yields HTTP 200 with role=admin. A public proof-of-concept walkthrough exists (asciinema); no active exploitation is confirmed in CISA KEV.
Signer confusion in wolfSSL's PKCS7_verify implementation allows a crafted PKCS#7 message to report a trusted certificate as the signer even when an attacker-controlled certificate produced the actual signature. Any application using wolfSSL for PKCS#7 signature verification - including JWT workflows flagged in the CVE tags - may incorrectly authorize operations as if from a trusted party. No public exploit has been identified at time of analysis, but the upstream fix is available as GitHub PR #10203 and the vulnerability is straightforwardly reproducible by anyone familiar with PKCS#7 certificate bundle structure.
PKCS#12 MAC verification in wolfSSL accepts truncated or zero-length MACs because the comparison uses an attacker-controlled length field parsed from the input structure rather than the expected digest size, completely defeating HMAC integrity protection on PKCS#12 key stores. Any wolfSSL-based application that parses PKCS#12 files from untrusted sources - including certificate import endpoints, VPN provisioning services, or key management systems - can be tricked into accepting a structurally tampered PKCS#12 bundle as MAC-verified. No public exploit code or CISA KEV listing has been identified; the upstream fix is available as GitHub PR #10192 but a tagged patched release has not been independently confirmed.
Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; Red Hat rates it 8.1 (High).
HMAC tag forgery in wolfSSL's OpenSSL-compatibility layer allows a zero-length or arbitrarily truncated HMAC tag to pass verification in EVP_DigestVerifyFinal, undermining message authentication for any application relying on this API path. Applications compiled with the OPENSSL_EXTRA flag that use EVP_DigestVerifyFinal for HMAC verification - including JWT validation libraries and message authentication flows - are affected across all currently-known wolfSSL versions. The root length check only enforced that the supplied tag did not exceed the MAC size, not that it equaled it, so an attacker controlling the tag buffer or length argument could present an empty signature and bypass integrity verification. No public exploit has been identified at time of analysis, and CISA KEV does not list this CVE.
Unauthenticated authentication bypass in OpenAM Community Edition (Open Identity Platform fork) through version 16.0.6 lets a network attacker spoof a RADIUS Access-Accept response and obtain a valid OpenAM session for any RADIUS-mapped username, without knowing the shared secret. The flaw stems from the RADIUS client accepting the first inbound UDP datagram as authoritative while skipping source, identifier, and Response Authenticator checks, making it materially easier to exploit than BlastRADIUS (CVE-2024-3596) since no MD5 chosen-prefix forgery is needed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix is confirmed in version 16.1.1.
Signature-verification bypass in wolfSSL's OpenSSL compatibility layer allows a degenerate (certs-only) PKCS#7 object - one with empty signerInfos and no actual signature - to be falsely reported as verified by wolfSSL_PKCS7_verify(). Applications using the PKCS7_verify() compat API to authenticate attacker-supplied PKCS#7/CMS bundles can be tricked into treating unsigned content as authentic, undermining integrity guarantees. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the underlying defect is a classic improper-signature-verification (CWE-347) issue with a CVSS 4.0 base score of 8.2.
Authenticated remote code execution in ATEN Unizon stems from a broken cryptographic signature check in the updateWar method (reachable via doCryptoHugeFileToFile), letting a high-privileged remote attacker push a forged WAR update and run arbitrary code as SYSTEM. The flaw (CWE-347) was reported by Trend Micro ZDI as ZDI-CAN-28590 and carries a CVSS 3.0 base score of 7.2; no public exploit identified at time of analysis.
Authentication bypass in Rocket.Chat's SAML service provider lets attackers log in as arbitrary users when SAML is enabled but the IdP certificate field is left at its empty shipped default, which causes signature validation to be silently skipped. All versions prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11 are affected, and the CVSS 4.0 base score is 9.3 (Critical). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the fail-open behavior is reachable in a near-default configuration, making it a high-priority fix.
Linked-Data Signature normalization in Mastodon's ActivityPub federation layer permits activity spoofing against servers running versions prior to 4.5.10, 4.4.17, and 4.3.23. An attacker can take a legitimately signed JSON-LD activity from a real third-party actor, re-arrange its structure, and relay it to a target Mastodon instance where it passes signature validation but is interpreted with altered semantic meaning. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, though the integrity impact on federated social graph trust is meaningful for operators of public-facing instances.
Signature substitution in CoreWCF's WS-Security message processing allows a remote unauthenticated attacker to replace the server's cryptographic integrity check with a signature of the attacker's choosing, effectively forging authenticated SOAP messages. Affected versions of CoreWCF.Primitives perform a document-wide lookup for ds:Signature elements rather than scoping verification to the wsse:Security header, so an attacker-injected signature in a preceding SOAP header is found and verified first. Exploitation is constrained by two non-default server-side prerequisites, limiting widespread risk on generic deployments, but the integrity bypass is complete where those conditions are met. No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis.
Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT signature verification (CWE-347), allowing remote attackers to forge authentication tokens without valid credentials and gain unauthorized access to protected LMS resources. The CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N confirms fully unauthenticated, low-complexity network exploitation, enabling an attacker to impersonate enrolled students or instructors and read or modify course-related data. No public exploit code or active exploitation has been confirmed at time of analysis, and the vulnerability is not listed in CISA KEV.
Algorithm-confusion in Symfony's Mailomat webhook parser allows an attacker to downgrade the HMAC primitive used for signature verification, bypassing webhook authentication. Symfony packages symfony/mailomat-mailer and symfony/symfony versions 7.2.0 through 7.4.12 and 8.0.0 through 8.0.12 accept an attacker-controlled algorithm field from the inbound X-MOM-Webhook-Signature request header and pass it directly to PHP's hash_hmac(), enabling an adversary who can exploit cryptographic weaknesses in weaker HMAC primitives (e.g., HMAC-MD4 existential forgery) to inject fraudulent webhook payloads. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attackers to forge OIDC identity tokens and obtain fully authenticated technician sessions, because the server accepts ID tokens without verifying their cryptographic signature. Publicly available exploit code exists and the flaw can also bypass MFA in some configurations, making vulnerable remote-support deployments a high-priority target despite no current CISA KEV listing.
TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager), allowing network attackers in a man-in-the-middle position to present a valid certificate for any host and intercept supposedly encrypted traffic. Affects all Netty versions prior to 4.1.135.Final and 4.2.15.Final; no public exploit identified at time of analysis and EPSS is very low (0.04%), but the defect bypasses a core TLS protection that Netty 4.2 explicitly advertises as enabled by default.
Authentication bypass in Cloud Foundry UAA (User Account and Authentication) versions 2.0.0 through 78.13.0 allows remote attackers to forge SAML assertions and impersonate users by exploiting a logic flaw where XML encryption was accepted as a substitute for XML signature verification. Because the Service Provider's public encryption key is published in SAML metadata, any party - not just a trusted Identity Provider - can craft encrypted-but-unsigned assertions that UAA will decrypt and trust, breaking the identity-assurance guarantee of SAML. No public exploit identified at time of analysis, but the cryptographic confusion (CWE-347) is well-understood and the impact (full identity spoofing into the platform IAM) is severe.
Signature metadata trust bypass in Apache CXF's JwsJsonContainerRequestFilter allows an attacker who can send JWS JSON-signed requests to inject unvalidated metadata - such as Content-Type or protected HTTP headers - by placing it in the first signature entry of a multi-signature JWS JSON token, even when that entry's signature was never verified. Affected deployments using the cxf-rt-rs-security-jose-jaxrs module may incorrectly trust attacker-controlled content type or header values, steering JAX-RS entity parsing or signed-header consistency checks in unintended ways. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-released patches 4.2.2 and 4.1.7 were published June 10, 2026.
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticated attackers to forge RPC commands as the connected administrator by bypassing signature verification in the UpdraftPlus_Remote_Communications_V2::wp_loaded handler. A flaw in how unchecked decryption return values are handled collapses the encryption key to an all-zero value, enabling arbitrary plugin upload and activation. No public exploit identified at time of analysis, but the plugin's massive WordPress install base and trivial post-bypass impact make this a high-priority patch.
Authentication bypass in NSA Ghidra versions prior to 12.1 allows any holder of a valid CA-signed certificate to impersonate arbitrary users by submitting their public certificate alongside a null signature to PKIAuthenticationModule.authenticate(). Successful exploitation yields privilege escalation, tampering of repository access controls, exfiltration of shared reverse-engineering databases, and persistent compromise of the Ghidra server. No public exploit identified at time of analysis, but a vendor patch and detailed advisory from VulnCheck are available.
Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS) to submit crafted SAML Responses, LogoutRequests, and LogoutResponses to a Service Provider endpoint and leverage the SP's private key for decryption without presenting a valid XML signature. Affected deployments span Spring Security 5.7.x through 7.0.x that use SAML-based SSO or Single Logout. No public exploit has been identified at time of analysis and EPSS data was not provided, but the attack class (XML encryption oracle) is well-documented in SAML security research and carries meaningful risk in identity-sensitive environments.
Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privileged attackers to forge identity information by capturing a valid signed message and submitting modified signed XML documents that the verifier accepts. The scope-changing flaw (CVSS 9.9) enables unauthorized access to sensitive user data and disruption of normal operations across trust boundaries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
Late signature validation in Siemens kas (pip/kas >= 4.8, < 5.3) allows an attacker who has already compromised a referenced upstream repository to substitute the cryptographic key used to validate that repository's tag signatures, effectively bypassing integrity checks entirely. Because kas processes and applies configuration includes from external repositories before verifying their signatures, a malicious repository can redirect the signature-validation key to one under attacker control. No public exploit code has been identified at time of analysis, and exploitation requires a highly specific multi-condition scenario including prior supply-chain access to a referenced upstream repo. Vendor-released patch version 5.3 resolves all related attack vectors.
Private ECDH key recovery in OP-TEE prior to version 4.11.0 is achievable by a local attacker who can invoke TEE_DeriveKey with approximately 30-40 crafted public key values lying off the target elliptic curve. Because the implementation omits point validation - failing to verify that (X, Y) satisfies Y^2 ≡ X^3 + aX + b mod P for the specified curve - each malformed call leaks a residue d mod r, where d is the private key and r is the order of the attacker-chosen invalid curve. Accumulated residues allow full private key reconstruction via the Chinese Remainder Theorem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the underlying invalid curve attack technique is well-documented in cryptographic literature and reproducible by any skilled attacker with local access.
Cookie context confusion in Django's signed cookie implementation allows a remote low-privileged attacker to substitute a cookie signed in one application context into a different context where a distinct (name, salt) pair produces the same concatenated string. Affected are Django 6.0 before 6.0.6 and Django 5.2 before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be affected. The real-world impact is limited to low-confidence data exposure (VC:L), with no public exploit identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects a low-severity, contextually constrained flaw.
Integrity bypass in Siemens kas (pip/kas < 5.3) allows an attacker who controls a referenced external git repository to substitute arbitrary commit content by creating a branch whose name matches the commit SHA recorded in a kas configuration file. Because kas passed the raw SHA string to `git checkout` without forcing disambiguation to a commit object, git resolves a branch of that name instead of the pinned commit, defeating the integrity guarantee users rely on. The primary impact falls on SHA-256 commit IDs; SHA-1 commits face a related but distinct risk through hash-collision substitution. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Algorithm allow-list bypass in PyJWT 2.9.0-2.12.1 permits an attacker who controls a registered JWK/JWKS private key to circumvent caller-enforced algorithm restrictions during JWT signature verification. The library correctly checks the token header's alg claim against the caller-supplied allow-list, but then performs the actual cryptographic verification using the algorithm bound to the PyJWK object rather than the header-declared algorithm - creating a exploitable mismatch. Specifically, the documented PyJWKClient.get_signing_key_from_jwt() flow is affected, meaning applications relying on this pattern for algorithm-restricted JWT validation may accept tokens signed with algorithms they explicitly prohibited. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Signature policy bypass in Red Hat Build of Keycloak's JWE request object handling allows unauthenticated remote attackers to inject unauthorized claims into the OpenID Connect authorization flow. When a JWE-encrypted request object is submitted and its decrypted content is raw JSON, Keycloak improperly skips signature verification, violating both OIDC Core and Financial-grade API (FAPI) signing requirements. No public exploit code exists at time of analysis, but the integrity-only impact (CVSS I:H) is directly relevant to authorization trust boundaries, making this high-priority for FAPI-compliant or financial-sector Keycloak deployments.
Cryptographic signature verification bypass in Northern.tech Mender Client 5 (before 5.0.4) allows unauthenticated remote attackers to circumvent JWT-based authentication controls. Tagged as both an Authentication Bypass and a JWT Attack, this CWE-347 flaw means the client fails to properly validate cryptographic signatures on tokens, potentially enabling unauthorized access to protected functionality or data. No public exploit code has been identified at time of analysis, and the low EPSS score of 0.02% (5th percentile) suggests exploitation is not currently widespread.
Arbitrary root code execution in Phoenix Contact PLCnext Control devices (all firmware before 2026.0.3) is reachable by an authenticated low-privileged Engineer user who installs APP packages from the PLCnext Store through the Web-based Management (WBM) interface. Because the device never verifies the integrity or signature of the downloaded app (CWE-347, tagged JWT Attack), a tampered package runs as root and can compromise the integrity and availability of the controller. No public exploit is identified at time of analysis and EPSS is low (0.06%, 18th percentile), but the flaw is network-reachable with low attack complexity and a vendor patch (2026.0.3) is available.
Denial of service in the Go golang.org/x/crypto/ssh library before version 0.52.0 allows unauthenticated remote attackers to exhaust CPU on SSH servers by submitting crafted RSA or DSA public keys with oversized parameters during public key authentication. EPSS is very low (0.03%) and there is no public exploit identified at time of analysis, but the bug is trivial to trigger and the fix has been published by the Go team in CL 781641/781661.
Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.
Authentication bypass in epa4all-client allows MITM attackers positioned within the TI (Telematikinfrastruktur) network to capture SMC-B-signed authentication material by substituting a forged OIDC discovery document. The vulnerability affects all versions prior to 1.2.2 and requires the attacker to intercept TLS connections between the client and Identity Provider. No public exploit identified at time of analysis.
Improper verification of cryptographic signature in the Radeon RGB tool could allow a malicious file placed in the installation directory to be run with elevated privileges potentially leading to. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.
Authentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication controls when the Cloud Authentication Service (CAS) feature is enabled, with the highest risk when CAS is bound to the management interface. The flaw affects PA-Series and VM-Series firewalls as well as Panorama (virtual and M-Series); Cloud NGFW and Prisma Access are not impacted. No public exploit identified at time of analysis, and EPSS rates real-world exploitation probability low at 0.08%, but the high-value target profile and CWE-347 (Improper Verification of Cryptographic Signature) class - combined with the 'Jwt Attack' tag - warrant prompt patching.
Zen Browser's auto-update mechanism delivered unsigned code to all users due to deliberately removed MAR signature verification inherited from Firefox. The browser shipped with Mozilla's updater binary stripped of all cryptographic verification code and served update packages containing zero cryptographic signatures. Compromise of the update server or GitHub Actions pipeline allowed arbitrary code execution on all Zen installations without cryptographic chain-of-trust protection. Version 1.19.9b restores MAR signing with RSA-4096 keys and certificate verification in the updater binary.
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.
Signature verification bypass in bitcoinj-core library allows attackers to forge Bitcoin transaction validations by exploiting fast-path optimization flaws in P2PKH and P2WPKH script execution. Versions 0.15 through 0.17.0 fail to verify that attacker-supplied public keys match the hash committed to in transaction outputs, enabling arbitrary keypairs to satisfy local transaction validation checks. While this does not affect SPV (Simple Payment Verification) nodes that follow proof-of-work without signature verification, applications using the correctlySpends() method for transaction validation or pre-signing checks are vulnerable to accepting fraudulent transactions. Vendor-released patch available in version 0.17.1, fixes confirmed in GitHub commits 2bc5653c and b575a682. No active exploitation confirmed (not in CISA KEV); EPSS data unavailable.
Consensus divergence in Zebra 4.3.1 enables blockchain network partitioning through crafted transparent transactions with invalid sighash types. Insufficient error handling at the Rust-to-C++ FFI boundary causes Zebra to incorrectly accept transactions with undefined hash types by reusing stale buffer data from prior valid signature checks, while zcashd correctly rejects these transactions. Attackers can exploit this by chaining OP_CHECKSIGVERIFY with OP_CHECKSIG opcodes using invalid hash types to trigger acceptance on Zebra nodes but rejection on zcashd nodes, creating a consensus split that could enable double-spend attacks. Vendor-released patch: 4.4.0. No public exploit identified at time of analysis, but the technical mechanism is fully disclosed in the GitHub advisory GHSA-gq4h-3grw-2rhv.
The Go toolchain's module proxy validation can be bypassed by attackers controlling untrusted GOPROXY or GOSUMDB endpoints, allowing delivery of malicious toolchain versions that execute with developer privileges. When the go command downloads a different toolchain version (via GOTOOLCHAIN, go.mod, or go.work directives), a malicious proxy can serve altered toolchains by exploiting checksum database validation logic that incorrectly accepts empty responses. While EPSS indicates only 1% exploitation probability and CISA SSVC marks exploitation status as 'none', the total technical impact rating and network attack vector (AV:N) represent significant supply chain risk for organizations using non-default module proxies. Vendor patch available in Go 1.26.3 and 1.25.10.
Improper cryptographic signature verification in Dolibarr ERP CRM up to version 23.0.2 allows remote attackers to bypass signature validation in the Online Signature Module, potentially forging or manipulating signed transactions. The vulnerability affects the dol_verifyHash function and has been publicly disclosed with exploit code available, though exploitation requires high technical complexity and is not confirmed as actively exploited in production environments.
SAML signature validation in Admidio's Identity Provider implementation can be completely bypassed due to discarded return values in authentication flows. The validateSignature() method returns error strings on failure but both call sites (SSO and Single Logout handlers) discard the return value, allowing unsigned or invalidly-signed SAML requests to proceed. Attackers can forge AuthnRequests to exfiltrate logged-in users' personal data (username, email, real name, role memberships) to attacker-controlled endpoints, or forge LogoutRequests to terminate victim sessions and cascade logout across federated Service Providers. The smc_require_auth_signed configuration setting provides no protection. Public exploit code exists (PoC in GitHub advisory). CVSS 8.2 reflects network-accessible attack with no authentication required, though practical exploitation of the SSO path requires victim to have an active session. No active exploitation confirmed at time of analysis.
Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information
Improper verification of cryptographic signatures in Cesanta Mongoose versions up to 7.20 allows remote attackers to bypass GCM authentication tag validation in the mg_aes_gcm_decrypt function. The vulnerability has high attack complexity and requires no user interaction, but provides only integrity impact (not confidentiality or availability). Publicly available exploit code exists, and vendor has released patched version 7.21.
Signature duplication in AWS Tough TUF client prior to v0.22.0 allows authenticated attackers to bypass threshold signature requirements for delegated role metadata by reusing a single valid signature multiple times. The flaw undermines TUF's multi-signature integrity model, enabling acceptance of forged metadata with reduced cryptographic validation. Vendor patch available (tough-v0.22.0, tuftool-v0.15.0). No public exploit code or active exploitation confirmed at time of analysis, but CVSS 7.0 reflects high integrity impact to both vulnerable and downstream systems.
Missing JWT signature verification in AWS Ops Wheel enables remote unauthenticated attackers to forge administrative tokens and gain complete control over all application data and Cognito user accounts across all tenants. This critical authentication bypass (CVSS 9.8) has a vendor-released patch available via GitHub PR #164. EPSS data not available, but the combination of zero authentication requirements, network attack vector, and multi-tenant data exposure creates immediate exploitation risk for all deployments.
The Nimiq staking contract accepts UpdateValidator transactions that omit proof-of-knowledge validation when updating voting keys, enabling rogue-key attacks against BLS signature aggregation used in Tendermint block justification. An attacker who can predict the next epoch's validator set could forge quorum-appearing block justifications with a single signature. Exploitation is constrained by the requirement to predict future validator set composition via VRF, making real-world attacks unlikely despite the critical cryptographic impact. Vendor-released patch v1.3.0 addresses the vulnerability.
Cryptographic signature verification bypass in ASP.NET Core 10.0 enables remote unauthenticated attackers to forge authentication tokens and gain unauthorized access to protected resources. Tagged as a JWT attack involving authentication bypass, this vulnerability allows complete compromise of confidentiality and integrity without requiring any special conditions (AV:N/AC:L/PR:N/UI:N). Microsoft has released a security update addressing this flaw. No active exploitation confirmed in CISA KEV at time of analysis, though the authentication bypass nature and network-accessible attack surface present significant risk for widely deployed ASP.NET Core applications.
OpenClaw 2026.3.22 through 2026.3.30 contain a signature verification bypass in the Nostr direct message (DM) ingress handler that processes pairing challenges before validating event signatures. Remote unauthenticated attackers can send forged DMs to create bogus pending pairing entries, exhaust shared pairing capacity, and trigger unbounded relay and logging work on the Nostr channel, causing denial of service. No public exploit code or active exploitation has been confirmed; a vendor patch is available in version 2026.3.31 and later.
Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. Affects versions ≤7.0.0 of 'Payment Gateway for Redsys & WooCommerce Lite' WordPress plugin. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation, though EPSS data unavailable. No CISA KEV listing or public POC identified at time of analysis. Vendor patch released in changeset 3501998.
Authentication bypass in Siemens SINEC NMS versions prior to V4.0 SP3 with UMC allows unauthenticated remote attackers to gain unauthorized access due to insufficient user identity validation in the UMC component (CWE-347: Improper Verification of Cryptographic Signature). The vulnerability enables network-based attacks with low complexity requiring no user interaction (CVSS 7.3, AV:N/AC:L/PR:N/UI:N), granting partial access to confidentiality, integrity, and availability. ZDI tracking ID CAN-27564 suggests coordinated disclosure. No active exploitation (CISA KEV) or public exploit code confirmed at time of analysis, though JWT-related authentication bypasses are well-understood attack primitives.
Cryptographic signature bypass in Palo Alto Networks Cortex XSOAR and XSIAM Microsoft Teams integrations (versions 1.5.0 through 1.5.51) allows unauthenticated remote attackers to access and modify protected resources. The vulnerability stems from improper JWT verification (CWE-347), enabling attackers to forge authentication tokens. With CVSS 7.2 (High complexity, network-accessible, no privileges required) and tags indicating JWT attack vectors and information disclosure potential, this represents a critical integration security flaw requiring immediate patching to version 1.5.52 or later.
Signature verification bypass in wolfSSL's ECCSI implementation allows adjacent network attackers to forge cryptographic signatures for any message and identity without authentication. The wc_VerifyEccsiHash function fails to validate that signature scalars r and s fall within the required mathematical range [1, q-1], enabling attackers with knowledge of public constants to craft universally-valid forged signatures. This defeats the cryptographic integrity guarantees of ECCSI-signed data, particularly affecting JWT authentication systems and identity-based cryptographic protocols. No public exploit identified at time of analysis.
Signature verification bypass in BSV Ruby SDK versions 0.3.1 through 0.8.1 allows authenticated attackers to forge blockchain identity certificates. The WalletClient#acquire_certificate method persists certificates without validating certifier signatures in both 'direct' acquisition (where attackers supply all fields including forged signatures) and 'issuance' protocols (where malicious certifier endpoints inject invalid signatures). Forged certificates appear authentic to list_certificates and prove_certificate operations, enabling impersonation attacks. CVSS 8.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible exploitation requiring low-privilege authentication. No public exploit identified at time of analysis.
LightRAG API authentication can be bypassed via JWT algorithm confusion attack, where an attacker forges tokens by specifying 'alg': 'none' in the JWT header to impersonate any user including administrators. The vulnerability exists in the validate_token() method in lightrag/api/auth.py (line 128), which accepts the unsigned 'none' algorithm despite not explicitly permitting it, allowing unauthenticated remote attackers to gain unauthorized access to protected resources. Publicly available proof-of-concept code demonstrates the attack; vendor has released a patch addressing the root cause of improper algorithm validation.
LightRAG's JWT authentication can be bypassed via a hardcoded default secret 'lightrag-jwt-default-secret' when TOKEN_SECRET is not configured. Unauthenticated attackers can forge valid tokens to access protected API endpoints in installations running v1.4.10 with AUTH_ACCOUNTS enabled but TOKEN_SECRET unset. CVSS 7.5 (High) reflects network-accessible confidentiality breach with no authentication required. No public exploit identified at time of analysis, though the hardcoded secret is publicly documented in the vulnerability disclosure. EPSS data not available for this CVE.
Denial of service in rust-rpm-sequoia allows local attackers to crash RPM signature verification by submitting specially crafted RPM files that trigger unhandled errors in OpenPGP parsing, preventing legitimate package management operations. CVSS 4.0 (low severity), local attack vector, non-authenticating. No public exploit code or active exploitation confirmed.
Authentication bypass in OneUptime SAML SSO implementation allows authenticated attackers to impersonate arbitrary users by exploiting XML signature verification logic flaws. Affected versions prior to 10.0.42 decouple signature validation from identity extraction, enabling XML injection attacks where an unsigned assertion with attacker-controlled identity precedes a legitimately signed assertion. EPSS and exploitation signals indicate publicly available exploit code exists with moderate technical complexity (CVSS AC:L, PR:L). No confirmed active exploitation (not in CISA KEV).
Finite-field Diffie-Hellman (FFDH) in Mbed TLS 3.5.x, 3.6.0 through 3.6.5, and TF-PSA-Crypto 1.0 lacks contributory behavior due to improper validation of peer-supplied parameters, allowing an attacker to restrict the shared secret to a small set of predictable values. While the vulnerability does not directly impact TLS (which does not depend on contributory behavior), it poses a significant risk to protocols that do rely on this property, including those where an active network attacker or malicious peer can exploit the weakness. No CVSS score or public exploit code has been assigned at the time of analysis.
JWT token forgery in appsup-dart/jose library (versions prior to 0.3.5+1) enables remote attackers to bypass authentication by embedding attacker-controlled public keys in JOSE headers. The library incorrectly accepts header-supplied 'jwk' parameters as trusted verification keys without validating they exist in the application's trusted keystore, allowing unauthenticated attackers to sign arbitrary tokens with their own key pairs. EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only standard JWT manipulation tools.
Botan cryptography library versions 3.0.0 through 3.10.x fail to verify OCSP response signatures during X.509 certificate path validation, allowing attackers to forge certificate status responses and potentially bypass revocation checks. This integrity bypass affects any application using Botan for TLS or certificate validation and requires network positioning but not authentication. The vulnerability was patched in version 3.11.0.
Zebra cryptocurrency nodes prior to version 4.3.0 can be forced into consensus split by malicious miners who craft blocks containing V5 transactions with matching txids but invalid authorization data. The vulnerability stems from a cache lookup that used ZIP-244 txid (which excludes authorization data) to bypass full verification, allowing nodes to accept blocks with invalid signatures. While this does not enable invalid transaction acceptance, it isolates vulnerable nodes from the Zcash network, creating fork conditions exploitable for service disruption and potential double-spend scenarios against partitioned nodes. No public exploit code or CISA KEV listing exists, but the technical complexity is low for actors with mining capabilities. Affected products are zebrad and zebra-consensus Rust packages supporting Network Upgrade 5 (V5 transactions). Vendor-released patch: Zebra 4.3.0.
Authentication bypass in OpenClaw's Feishu webhook integration (pre-2026.3.12) allows unauthenticated remote attackers to inject forged events and trigger arbitrary downstream tool execution. The vulnerability occurs when administrators configure only verificationToken without encryptKey, enabling attackers to craft malicious webhook payloads that bypass validation. No public exploit identified at time of analysis, though CVSS 8.8 reflects network accessibility (AV:N), zero complexity (AC:L), and no privileges required (PR:N).
The digitalbazaar/forge npm package accepts forged Ed25519 signatures due to missing scalar canonicalization checks, allowing authentication and authorization bypass in applications that rely on signature uniqueness. All versions since Ed25519 implementation are affected (confirmed through version 1.3.3), identified as pkg:npm/node-forge. Publicly available exploit code exists with a complete proof-of-concept demonstrating how attackers can create multiple valid signatures for the same message by adding the group order L to the scalar component S, bypassing deduplication, replay protection, and signed-object canonicalization checks. The vendor has released a patch via commit bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85.
XML Digital Signature validation in russellhaering/goxmldsig library prior to version 1.6.0 can be bypassed due to a Go loop variable capture bug, allowing remote unauthenticated attackers to forge or manipulate XML signatures without detection. The vulnerability affects applications using Go versions before 1.22 or older go.mod configurations, enabling integrity violations in SAML authentication, document signing, and other XML-DSig implementations. EPSS score of 0.02% suggests low observed exploitation probability, with no confirmed active exploitation (not in CISA KEV). Vendor patch available in version 1.6.0.
A downgrade vulnerability affecting Intel-based Mac computers allows malicious applications to bypass code-signing restrictions and access user-sensitive data. The vulnerability impacts macOS Sequoia (versions before 15.7.5), macOS Sonoma (versions before 14.8.5), macOS Tahoe (versions before 26.3 and 26.4), and affects all Intel-based Mac systems running vulnerable versions. An attacker can craft an application that exploits insufficient code-signing validation to downgrade security protections and exfiltrate sensitive user information.
Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 certificates by supplying malicious domain parameters (g=1, y=1, r=1) that cause verification functions to incorrectly validate any message hash. This actively undermines authentication and integrity checks in applications using the library for JWT validation, certificate verification, or digital signatures. EPSS score is negligible (0.01%) despite proof-of-concept availability, and CISA SSVC classifies this as requiring proof-of-concept but not automatable, indicating targeted exploitation risk rather than widespread scanning.
PuTTY versions up to 0.83 contain a weak authentication vulnerability in the Ed25519 signature verification function (eddsa_verify in crypto/ecc-ssh.c) that allows remote attackers to potentially forge or manipulate digital signatures due to improper validation of Ed25519 signature components. While a public proof-of-concept exploit exists and the vulnerability affects signature verification, the real-world impact remains unproven, with CVSS 3.7 (low severity) and EPSS probability indicating exploitation is difficult and requires high complexity. The vendor (PuTTY developers) has already released a patch addressing this issue.
A cryptographic signature verification flaw exists in tinyssh's Ed25519 signature handler (crypto_sign_ed25519_tinyssh.c) that allows improper validation of signatures, potentially enabling an attacker to forge or bypass signature checks. Affected versions of janmojzis tinyssh up to 20250501 are impacted, with the vulnerability requiring local execution and high attack complexity. A public exploit has been disclosed, and vendor patches are available in version 20260301.
A cryptographic authentication bypass vulnerability in ConnectWise ScreenConnect allows remote attackers who gain access to server-level cryptographic material to authenticate as any user and obtain elevated privileges. The vulnerability affects all ScreenConnect versions prior to 26.1 and carries a CVSS score of 9.0, indicating critical severity. While not currently listed in CISA's KEV catalog and with no public proof-of-concept available, the vulnerability's authentication bypass nature and potential for complete system compromise make it a high-priority patching target.
Private key recovery in Stanford JavaScript Crypto Library (SJCL) ECDH implementation affects all versions prior to 1.0.9, allowing remote unauthenticated attackers to extract a victim's ECDH private key by submitting crafted off-curve public keys and observing the resulting shared-secret outputs. The flaw stems from missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(), combined with dhJavaEc() returning the raw x-coordinate without hashing - providing a direct plaintext oracle. Publicly available exploit code exists (PoC gist by Kr0emer); EPSS is low at 0.02% despite the high confidentiality impact, suggesting limited current opportunistic targeting.
A critical authentication bypass vulnerability in authlib's JWT signature verification allows attackers to forge arbitrary tokens by injecting their own cryptographic keys through the JWT header. The flaw affects all versions of authlib prior to 1.6.9 when applications use key resolution callbacks that can return None (common in JWKS-based authentication flows). A working proof-of-concept exists demonstrating complete authentication bypass, enabling attackers to impersonate any user or assume administrative privileges without valid credentials.