此页面尚未翻译为您的语言。我们正在努力翻译，目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

CRITICALCVE-2026-44351CVSS 9.1

CVE-2026-44351: Authentication Bypass in fast-jwt

Q: What is CVE-2026-44351 — Authentication Bypass in fast-jwt?

CVE-2026-44351 is a critical vulnerability in fast-jwt allowing unauthenticated attackers to forge JWTs, bypassing authentication mechanisms. It affects versions 1.0.0 through 6.2.3 and is rated CRITICAL (9.1 CVSS).

Q: Am I affected by CVE-2026-44351 in fast-jwt?

If your application uses fast-jwt version 1.0.0 through 6.2.3, you are potentially affected. Check your dependencies and upgrade immediately if vulnerable.

Q: How do I fix CVE-2026-44351 in fast-jwt?

Upgrade to fast-jwt version 6.2.4 or later to resolve the vulnerability. As a temporary workaround, ensure your key resolver never returns an empty string.

Q: Is CVE-2026-44351 being actively exploited?

While no active campaigns are currently known, the vulnerability's ease of exploitation makes it a high-priority target. Continuous monitoring is recommended.

Q: Where can I find the official fast-jwt advisory for CVE-2026-44351?

Refer to the fast-jwt GitHub repository and related security advisories for the latest information and updates regarding CVE-2026-44351.

平台

nodejs

组件

fast-jwt

修复版本

6.2.4

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-44351 is a critical authentication bypass vulnerability discovered in fast-jwt, a popular JSON Web Token (JWT) implementation. This flaw allows an attacker to forge valid JWTs without authentication, effectively gaining unauthorized access to protected resources. The vulnerability affects versions 1.0.0 through 6.2.3 and has been resolved in version 6.2.4. Prompt patching is strongly recommended.

影响与攻击场景翻译中…

The impact of CVE-2026-44351 is severe. An attacker can exploit this vulnerability to impersonate legitimate users, access sensitive data, and potentially compromise the entire application. The vulnerability stems from how fast-jwt handles empty key resolver responses. Specifically, if the key resolver returns an empty string, fast-jwt incorrectly derives allowed algorithms, enabling signature verification against an empty key. This allows an attacker to craft a JWT with a valid signature (even a trivial one) that will be accepted as authentic. This is similar to vulnerabilities where improper key handling leads to authentication bypass, potentially granting full control over the application’s functionality.

利用背景翻译中…

CVE-2026-44351 was published on 2026-05-13. Its severity is rated as CRITICAL (9.1 CVSS). Currently, there are no publicly known active campaigns exploiting this vulnerability, but the ease of exploitation and the potential impact make it a high-priority target. No entries on KEV or EPSS are currently available. Monitor security advisories and threat intelligence feeds for any indications of exploitation.

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 无 — 攻击自动且无声，受害者无需任何操作。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 高 — 完全丧失机密性，攻击者可读取所有数据。
Integrity: 高 — 攻击者可写入、修改或删除任何数据。
Availability: 无 — 无可用性影响。

受影响的软件

组件fast-jwt

供应商nearform

最低版本1.0.0

最高版本< 6.2.4

修复版本6.2.4

弱点分类 (CWE)

CWE-287 CWE-326 CWE-1391

时间线

已保留2026-05-05
发布日期2026-05-13

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-44351 is to upgrade to fast-jwt version 6.2.4 or later. This version includes a fix that prevents the incorrect key derivation. If upgrading immediately is not feasible, consider implementing a temporary workaround by ensuring that your key resolver never returns an empty string. This can be achieved by adding a default key or error handling to prevent an empty response. Additionally, implement strict input validation on JWTs to prevent unexpected data from being processed. After upgrading, verify the fix by attempting to forge a JWT with an empty key and confirming that it is rejected.

修复方法翻译中…

Actualice a la versión 6.2.4 o superior de fast-jwt para mitigar la vulnerabilidad. Asegúrese de que el key resolver no devuelva una cadena vacía, ya que esto permite la falsificación de tokens JWT.

常见问题翻译中…

What is CVE-2026-44351 — Authentication Bypass in fast-jwt?

CVE-2026-44351 is a critical vulnerability in fast-jwt allowing unauthenticated attackers to forge JWTs, bypassing authentication mechanisms. It affects versions 1.0.0 through 6.2.3 and is rated CRITICAL (9.1 CVSS).

Am I affected by CVE-2026-44351 in fast-jwt?

If your application uses fast-jwt version 1.0.0 through 6.2.3, you are potentially affected. Check your dependencies and upgrade immediately if vulnerable.

How do I fix CVE-2026-44351 in fast-jwt?

Upgrade to fast-jwt version 6.2.4 or later to resolve the vulnerability. As a temporary workaround, ensure your key resolver never returns an empty string.

Is CVE-2026-44351 being actively exploited?

While no active campaigns are currently known, the vulnerability's ease of exploitation makes it a high-priority target. Continuous monitoring is recommended.

Where can I find the official fast-jwt advisory for CVE-2026-44351?

Refer to the fast-jwt GitHub repository and related security advisories for the latest information and updates regarding CVE-2026-44351.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE

live免费扫描

立即试用 — 无需账户

上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始：拥有账户后，您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...

浏览文件