CVE-2026-44699

EUVD-2026-30560

15.05.2026, 17:16

LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid JWT without knowing any secret or RSA private key. This is an algorithm-confusion authentication bypass. It affects applications that load RSA keys from JWKS where alg is omitted, which is valid JWK syntax and common in real deployments, and then choose the verification algorithm from the JWT header, for example in a kid lookup callback. This vulnerability is fixed in 3.3.3.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

libjwt

bookworm	1.10.2-1+deb12u1 fixed
bullseye	1.10.2-1+deb11u1 fixed
forky	1.17.2-1 fixed
sid	1.17.2-1 fixed
trixie	1.17.2-1 fixed

libjwt3

forky	vulnerable
sid	vulnerable

Common Weakness Enumeration

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

References

https://github.com/benmcollins/libjwt/security/advisories/GHSA-q843-6q5f-w55g