CVE-2026-44351: CWE-287: Improper Authentication in nearform fast-jwt
A critical authentication bypass vulnerability (CVE-2026-44351) exists in nearform fast-jwt versions prior to 6. 2. 4. The flaw occurs in the async key-resolver flow when the key resolver returns an empty string, which fast-jwt converts to a zero-length key. This allows attackers to forge arbitrary JWTs that are accepted as authentic by computing an HMAC with an empty key. The vulnerability is fixed in version 6. 2. 4.
AI Analysis
Technical Summary
fast-jwt is a JSON Web Token implementation. Before version 6.2.4, if the key resolver returned an empty string (e.g., due to a fallback in JWKS key lookup), fast-jwt would convert this to a zero-length Buffer and use it as the secret key for HMAC verification. This results in allowed algorithms HS256, HS384, and HS512 being verified against an empty key. An attacker can compute a valid HMAC-SHA256 signature with an empty key for any chosen JWT header and payload, bypassing authentication and forging tokens accepted as authentic by the application. The issue is resolved in fast-jwt 6.2.4.
Potential Impact
Successful exploitation allows unauthenticated attackers to forge arbitrary JWTs that the application accepts as valid, potentially granting unauthorized access or elevated privileges. The vulnerability affects confidentiality and integrity of authentication tokens but does not impact availability. The CVSS v3.1 score is 9.1 (critical), reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
A patch is available in fast-jwt version 6.2.4 that fixes this vulnerability. Users should upgrade to version 6.2.4 or later to remediate the issue. Since this is a cloud service, the vendor manages remediation for hosted environments; users should verify with the vendor that the service is updated. No alternative mitigations are specified.
CVE-2026-44351: CWE-287: Improper Authentication in nearform fast-jwt
Description
A critical authentication bypass vulnerability (CVE-2026-44351) exists in nearform fast-jwt versions prior to 6. 2. 4. The flaw occurs in the async key-resolver flow when the key resolver returns an empty string, which fast-jwt converts to a zero-length key. This allows attackers to forge arbitrary JWTs that are accepted as authentic by computing an HMAC with an empty key. The vulnerability is fixed in version 6. 2. 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
fast-jwt is a JSON Web Token implementation. Before version 6.2.4, if the key resolver returned an empty string (e.g., due to a fallback in JWKS key lookup), fast-jwt would convert this to a zero-length Buffer and use it as the secret key for HMAC verification. This results in allowed algorithms HS256, HS384, and HS512 being verified against an empty key. An attacker can compute a valid HMAC-SHA256 signature with an empty key for any chosen JWT header and payload, bypassing authentication and forging tokens accepted as authentic by the application. The issue is resolved in fast-jwt 6.2.4.
Potential Impact
Successful exploitation allows unauthenticated attackers to forge arbitrary JWTs that the application accepts as valid, potentially granting unauthorized access or elevated privileges. The vulnerability affects confidentiality and integrity of authentication tokens but does not impact availability. The CVSS v3.1 score is 9.1 (critical), reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
A patch is available in fast-jwt version 6.2.4 that fixes this vulnerability. Users should upgrade to version 6.2.4 or later to remediate the issue. Since this is a cloud service, the vendor manages remediation for hosted environments; users should verify with the vendor that the service is updated. No alternative mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T19:52:59.148Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a04d644cbff5d861003f201
Added to database: 5/13/2026, 7:51:32 PM
Last enriched: 5/13/2026, 8:06:27 PM
Last updated: 5/13/2026, 8:53:11 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.