CVE-2026-44699

216.73.217.22

· Published 15/05/2026 17:16 · Modified 15/05/2026 19:17

Labels: CVE-2026-44699 2026-05-15 CVE-2026-44699 CWE-327 [email protected]

Essential information

Published: 15/05/2026 17:16
Modified: 15/05/2026 19:17
Author: —
Creator: —
CVSS: 9.1 CRITICAL (v3) 9.1 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid JWT without knowing any secret or RSA private key. This is an algorithm-confusion authentication bypass. It affects applications that load RSA keys from JWKS where alg is omitted, which is valid JWK syntax and common in real deployments, and then choose the verification algorithm from the JWT header, for example in a kid lookup callback. This vulnerability is fixed in 3.3.3.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
libjwt / libjwt	`cpe:2.3:a:libjwt:libjwt:3.0.0-3.3.2:::::::*`