Description
OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.
Published: 2026-02-25
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Impersonation through JWT authentication bypass via SQL injection
Action: Immediate Patch
AI Analysis

Impact

A SQL injection flaw in the auth_jwt module allows an attacker to insert malicious content into the tag claim of a JSON Web Token (JWT). Because the module does not verify the token’s signature before using the claim, the unescaped value is embedded directly into a SQL statement against the authentication database. This enables the attacker to manipulate the query and force the authentication routine to accept the token, thereby bypassing normal authentication controls and allowing impersonation of any user.

Affected Systems

OpenSIPS server software, versions 3.1 up to and including 3.6.4, when the auth_jwt module is enabled with db_mode and a relational database backend. The vulnerability exists in all releases before the commit that fixes the issue.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, but the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack requires only the ability to send a crafted JWT to the OpenSIPS instance, implying a remote capability that makes it potentially exploitable over the network, especially where JWTs are accepted without signature validation.

Generated by OpenCVE AI on April 17, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSIPS to version 3.6.4 or later, which includes the patch for the auth_jwt SQL injection.
  • If an upgrade is not immediately feasible, disable the db_mode option in the auth_jwt module to eliminate the vulnerable code path.
  • Configure the JWT handling to perform signature verification before extracting any claim values, ensuring that only valid tokens are processed.

Generated by OpenCVE AI on April 17, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opensips:opensips:*:*:*:*:*:*:*:*

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Opensips
Opensips opensips
Vendors & Products Opensips
Opensips opensips

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

threat_severity

Important

Wed, 25 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.
Title OpenSIPS 3.1 <= 3.6.4 auth_jwt SQL Injection Enables JWT Authentication Bypass
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Opensips Opensips
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T18:02:52.174Z

Reserved: 2026-02-02T20:12:33.395Z

Link: CVE-2026-25554

cve-icon Vulnrichment

Updated: 2026-02-25T19:35:36.791Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T18:23:40.617

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25554

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-25T16:54:11Z

Links: CVE-2026-25554 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses