Threats Tagged 'ghsa-r9gp-7f88-9r54'
View all threats tagged with 'ghsa-r9gp-7f88-9r54'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'ghsa-r9gp-7f88-9r54'
Click on any threat for detailed analysis and mitigation recommendations
GHSA-r9gp-7f88-9r54: Lemur: JWT verifier honors attacker-supplied alg, enabling ATOCVE-2026-55165 0 Lemur version 1.9.0 and earlier contain a vulnerability where the JWT verifier trusts the algorithm specified in the token header without validation. This allows an attacker to influence the cryptographic verification process, creating a defense-in-depth gap. While PyJWT 2.x prevents single-request account takeover (ATO) via the 'alg=none' attack, this vulnerability could enable ATO if combined with a separate secret disclosure or if the system migrates to asymmetric signing without fixing this issue. Additionally, audit logs relying on the token's algorithm field can be blinded by attacker-supplied values. Join the discussion | GCVE Database | 06/25/2026, 22:05:17 UTC Added: 06/26/2026, 22:06:29 UTC |
Showing 1 to 1 of 1 result