このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

CRITICALCVE-2026-44351CVSS 9.1

CVE-2026-44351: Authentication Bypass in fast-jwt

Q: What is CVE-2026-44351 — Authentication Bypass in fast-jwt?

CVE-2026-44351 is a critical vulnerability in fast-jwt allowing unauthenticated attackers to forge JWTs, bypassing authentication mechanisms. It affects versions 1.0.0 through 6.2.3 and is rated CRITICAL (9.1 CVSS).

Q: Am I affected by CVE-2026-44351 in fast-jwt?

If your application uses fast-jwt version 1.0.0 through 6.2.3, you are potentially affected. Check your dependencies and upgrade immediately if vulnerable.

Q: How do I fix CVE-2026-44351 in fast-jwt?

Upgrade to fast-jwt version 6.2.4 or later to resolve the vulnerability. As a temporary workaround, ensure your key resolver never returns an empty string.

Q: Is CVE-2026-44351 being actively exploited?

While no active campaigns are currently known, the vulnerability's ease of exploitation makes it a high-priority target. Continuous monitoring is recommended.

Q: Where can I find the official fast-jwt advisory for CVE-2026-44351?

Refer to the fast-jwt GitHub repository and related security advisories for the latest information and updates regarding CVE-2026-44351.

プラットフォーム

nodejs

コンポーネント

fast-jwt

修正版

6.2.4

NVDで見る

保存

あなたの言語に翻訳中…

CVE-2026-44351 is a critical authentication bypass vulnerability discovered in fast-jwt, a popular JSON Web Token (JWT) implementation. This flaw allows an attacker to forge valid JWTs without authentication, effectively gaining unauthorized access to protected resources. The vulnerability affects versions 1.0.0 through 6.2.3 and has been resolved in version 6.2.4. Prompt patching is strongly recommended.

影響と攻撃シナリオ翻訳中…

The impact of CVE-2026-44351 is severe. An attacker can exploit this vulnerability to impersonate legitimate users, access sensitive data, and potentially compromise the entire application. The vulnerability stems from how fast-jwt handles empty key resolver responses. Specifically, if the key resolver returns an empty string, fast-jwt incorrectly derives allowed algorithms, enabling signature verification against an empty key. This allows an attacker to craft a JWT with a valid signature (even a trivial one) that will be accepted as authentic. This is similar to vulnerabilities where improper key handling leads to authentication bypass, potentially granting full control over the application’s functionality.

悪用の状況翻訳中…

CVE-2026-44351 was published on 2026-05-13. Its severity is rated as CRITICAL (9.1 CVSS). Currently, there are no publicly known active campaigns exploiting this vulnerability, but the ease of exploitation and the potential impact make it a high-priority target. No entries on KEV or EPSS are currently available. Monitor security advisories and threat intelligence feeds for any indications of exploitation.

脅威インテリジェンス

エクスプロイト状況

概念実証不明

CISA KEVNO

インターネット露出高

CVSS ベクトル

これらのメトリクスの意味は？

Attack Vector: ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity: 低 — 特別な条件不要。安定して悪用可能。
Privileges Required: なし — 認証不要。資格情報なしで悪用可能。
User Interaction: なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope: 変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality: 高 — 機密性の完全喪失。全データが読み取り可能。
Integrity: 高 — 任意のデータの書き込み・変更・削除が可能。
Availability: なし — 可用性への影響なし。

影響を受けるソフトウェア

コンポーネントfast-jwt

ベンダーnearform

最小バージョン1.0.0

最大バージョン< 6.2.4

修正版6.2.4

弱点分類 (CWE)

CWE-287 CWE-326 CWE-1391

タイムライン

予約済み2026-05-05
公開日2026-05-13

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-44351 is to upgrade to fast-jwt version 6.2.4 or later. This version includes a fix that prevents the incorrect key derivation. If upgrading immediately is not feasible, consider implementing a temporary workaround by ensuring that your key resolver never returns an empty string. This can be achieved by adding a default key or error handling to prevent an empty response. Additionally, implement strict input validation on JWTs to prevent unexpected data from being processed. After upgrading, verify the fix by attempting to forge a JWT with an empty key and confirming that it is rejected.

修正方法翻訳中…

Actualice a la versión 6.2.4 o superior de fast-jwt para mitigar la vulnerabilidad. Asegúrese de que el key resolver no devuelva una cadena vacía, ya que esto permite la falsificación de tokens JWT.

よくある質問翻訳中…

What is CVE-2026-44351 — Authentication Bypass in fast-jwt?

CVE-2026-44351 is a critical vulnerability in fast-jwt allowing unauthenticated attackers to forge JWTs, bypassing authentication mechanisms. It affects versions 1.0.0 through 6.2.3 and is rated CRITICAL (9.1 CVSS).

Am I affected by CVE-2026-44351 in fast-jwt?

If your application uses fast-jwt version 1.0.0 through 6.2.3, you are potentially affected. Check your dependencies and upgrade immediately if vulnerable.

How do I fix CVE-2026-44351 in fast-jwt?

Upgrade to fast-jwt version 6.2.4 or later to resolve the vulnerability. As a temporary workaround, ensure your key resolver never returns an empty string.

Is CVE-2026-44351 being actively exploited?

While no active campaigns are currently known, the vulnerability's ease of exploitation makes it a high-priority target. Continuous monitoring is recommended.

Where can I find the official fast-jwt advisory for CVE-2026-44351?

Refer to the fast-jwt GitHub repository and related security advisories for the latest information and updates regarding CVE-2026-44351.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャン CVEを検索

scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ＆ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...

ファイルを選択