Esta página ainda não foi traduzida para o seu idioma. Exibindo conteúdo em inglês enquanto trabalhamos nisso.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-44351: Authentication Bypass in fast-jwt
Plataforma
nodejs
Componente
fast-jwt
Corrigido em
6.2.4
CVE-2026-44351 is a critical authentication bypass vulnerability discovered in fast-jwt, a popular JSON Web Token (JWT) implementation. This flaw allows an attacker to forge valid JWTs without authentication, effectively gaining unauthorized access to protected resources. The vulnerability affects versions 1.0.0 through 6.2.3 and has been resolved in version 6.2.4. Prompt patching is strongly recommended.
Impacto e Cenários de Ataquetraduzindo…
The impact of CVE-2026-44351 is severe. An attacker can exploit this vulnerability to impersonate legitimate users, access sensitive data, and potentially compromise the entire application. The vulnerability stems from how fast-jwt handles empty key resolver responses. Specifically, if the key resolver returns an empty string, fast-jwt incorrectly derives allowed algorithms, enabling signature verification against an empty key. This allows an attacker to craft a JWT with a valid signature (even a trivial one) that will be accepted as authentic. This is similar to vulnerabilities where improper key handling leads to authentication bypass, potentially granting full control over the application’s functionality.
Contexto de Exploraçãotraduzindo…
CVE-2026-44351 was published on 2026-05-13. Its severity is rated as CRITICAL (9.1 CVSS). Currently, there are no publicly known active campaigns exploiting this vulnerability, but the ease of exploitation and the potential impact make it a high-priority target. No entries on KEV or EPSS are currently available. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Inteligência de Ameaças
Status do Exploit
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-44351 is to upgrade to fast-jwt version 6.2.4 or later. This version includes a fix that prevents the incorrect key derivation. If upgrading immediately is not feasible, consider implementing a temporary workaround by ensuring that your key resolver never returns an empty string. This can be achieved by adding a default key or error handling to prevent an empty response. Additionally, implement strict input validation on JWTs to prevent unexpected data from being processed. After upgrading, verify the fix by attempting to forge a JWT with an empty key and confirming that it is rejected.
Como corrigirtraduzindo…
Actualice a la versión 6.2.4 o superior de fast-jwt para mitigar la vulnerabilidad. Asegúrese de que el key resolver no devuelva una cadena vacía, ya que esto permite la falsificación de tokens JWT.
Perguntas frequentestraduzindo…
What is CVE-2026-44351 — Authentication Bypass in fast-jwt?
CVE-2026-44351 is a critical vulnerability in fast-jwt allowing unauthenticated attackers to forge JWTs, bypassing authentication mechanisms. It affects versions 1.0.0 through 6.2.3 and is rated CRITICAL (9.1 CVSS).
Am I affected by CVE-2026-44351 in fast-jwt?
If your application uses fast-jwt version 1.0.0 through 6.2.3, you are potentially affected. Check your dependencies and upgrade immediately if vulnerable.
How do I fix CVE-2026-44351 in fast-jwt?
Upgrade to fast-jwt version 6.2.4 or later to resolve the vulnerability. As a temporary workaround, ensure your key resolver never returns an empty string.
Is CVE-2026-44351 being actively exploited?
While no active campaigns are currently known, the vulnerability's ease of exploitation makes it a high-priority target. Continuous monitoring is recommended.
Where can I find the official fast-jwt advisory for CVE-2026-44351?
Refer to the fast-jwt GitHub repository and related security advisories for the latest information and updates regarding CVE-2026-44351.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...