Scan free
CRITICALCVE-2026-44351CVSS 9.1

CVE-2026-44351: Authentication Bypass in fast-jwt

Platform

nodejs

Component

fast-jwt

Fixed in

6.2.4

View on NVD
Save

CVE-2026-44351 is a critical authentication bypass vulnerability discovered in fast-jwt, a popular JSON Web Token (JWT) implementation. This flaw allows an attacker to forge valid JWTs without authentication, effectively gaining unauthorized access to protected resources. The vulnerability affects versions 1.0.0 through 6.2.3 and has been resolved in version 6.2.4. Prompt patching is strongly recommended.

Impact and Attack Scenarios

The impact of CVE-2026-44351 is severe. An attacker can exploit this vulnerability to impersonate legitimate users, access sensitive data, and potentially compromise the entire application. The vulnerability stems from how fast-jwt handles empty key resolver responses. Specifically, if the key resolver returns an empty string, fast-jwt incorrectly derives allowed algorithms, enabling signature verification against an empty key. This allows an attacker to craft a JWT with a valid signature (even a trivial one) that will be accepted as authentic. This is similar to vulnerabilities where improper key handling leads to authentication bypass, potentially granting full control over the application’s functionality.

Exploitation Context

CVE-2026-44351 was published on 2026-05-13. Its severity is rated as CRITICAL (9.1 CVSS). Currently, there are no publicly known active campaigns exploiting this vulnerability, but the ease of exploitation and the potential impact make it a high-priority target. No entries on KEV or EPSS are currently available. Monitor security advisories and threat intelligence feeds for any indications of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentfast-jwt
Vendornearform
Minimum version1.0.0
Maximum version< 6.2.4
Fixed in6.2.4

Weakness Classification (CWE)

CWE-287CWE-326CWE-1391

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2026-44351 is to upgrade to fast-jwt version 6.2.4 or later. This version includes a fix that prevents the incorrect key derivation. If upgrading immediately is not feasible, consider implementing a temporary workaround by ensuring that your key resolver never returns an empty string. This can be achieved by adding a default key or error handling to prevent an empty response. Additionally, implement strict input validation on JWTs to prevent unexpected data from being processed. After upgrading, verify the fix by attempting to forge a JWT with an empty key and confirming that it is rejected.

How to fix

Actualice a la versión 6.2.4 o superior de fast-jwt para mitigar la vulnerabilidad. Asegúrese de que el key resolver no devuelva una cadena vacía, ya que esto permite la falsificación de tokens JWT.

Frequently asked questions

What is CVE-2026-44351 — Authentication Bypass in fast-jwt?

CVE-2026-44351 is a critical vulnerability in fast-jwt allowing unauthenticated attackers to forge JWTs, bypassing authentication mechanisms. It affects versions 1.0.0 through 6.2.3 and is rated CRITICAL (9.1 CVSS).

Am I affected by CVE-2026-44351 in fast-jwt?

If your application uses fast-jwt version 1.0.0 through 6.2.3, you are potentially affected. Check your dependencies and upgrade immediately if vulnerable.

How do I fix CVE-2026-44351 in fast-jwt?

Upgrade to fast-jwt version 6.2.4 or later to resolve the vulnerability. As a temporary workaround, ensure your key resolver never returns an empty string.

Is CVE-2026-44351 being actively exploited?

While no active campaigns are currently known, the vulnerability's ease of exploitation makes it a high-priority target. Continuous monitoring is recommended.

Where can I find the official fast-jwt advisory for CVE-2026-44351?

Refer to the fast-jwt GitHub repository and related security advisories for the latest information and updates regarding CVE-2026-44351.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...