Description
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
Published: 2026-06-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the validateAccessToken routine of bookcars version 8.3, which neglects to perform cryptographic signature verification on JSON Web Tokens. As a result, an attacker can generate a forged token with arbitrary claims and submit it to the application, causing the server to accept it as genuine. This flaw enables an attacker to masquerade as any user, access protected resources, and potentially manipulate or exfiltrate confidential data managed by the application.

Affected Systems

The product affected is bookcars v8.3. Vendor information is not supplied by the CNA; the vulnerability was disclosed in a component of the bookcars application, but no definitive vendor attribution is available.

Risk and Exploitability

The EPSS score of less than 1% suggests that active exploitation has not yet been widely observed, yet the CVSS score of 9.8 marks the vulnerability as critical. The absence of cryptographic validation gives an attacker a clear execution path: craft a JWT with desired claims, transmit it via a standard HTTP request to any endpoint that invokes validateAccessToken, and the request will be accepted as authenticated. Based on the description, it is inferred that the attack vector is the submission of a forged JWT over HTTP, as no additional privileges or system access are required. Although the vulnerability is not listed in the CISA KEV catalog and no publicly documented exploit exists, the simplicity of the required steps makes this a high‑risk issue for any deployment of bookcars v8.3.

Generated by OpenCVE AI on June 10, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patched version of bookcars that includes proper JWT signature verification.
  • If an official patch is unavailable, modify the validateAccessToken function to validate the JWT signature against the correct secret or public key before accepting the token.
  • Introduce additional authentication safeguards such as IP whitelisting or multi‑factor authentication to reduce the risk while the signature verification is addressed.

Generated by OpenCVE AI on June 10, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Title Forged JWT Token Bypass in bookcars v8.3
Weaknesses CWE-346

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-347
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Bookcars
Bookcars bookcars
Vendors & Products Bookcars
Bookcars bookcars

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Forged JWT Token Bypass in bookcars v8.3
Weaknesses CWE-346

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
References

Subscriptions

Bookcars Bookcars
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-10T13:55:28.804Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36721

cve-icon Vulnrichment

Updated: 2026-06-10T13:55:20.637Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T19:17:42.500

Modified: 2026-06-10T15:16:33.783

Link: CVE-2026-36721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T16:15:17Z

Weaknesses