Description
An insecure authentication vulnerability in the /api/social-sign-in endpoint of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
Published: 2026-06-09
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insecure authentication flaw in the /api/social-sign-in endpoint of bookcars version 8.3. Attackers can create a forged JSON Web Token that the server does not correctly validate. If the forged token is accepted, the attacker can impersonate any user, gaining full access rights granted to that user.

Affected Systems

BookCars web application version 8.3, specifically the /api/social-sign-in API endpoint. No other products or versions are currently documented as affected.

Risk and Exploitability

The exploit requires only the ability to issue HTTP requests to the API; no special user privileges are needed. With the current lack of proper JWT verification, attackers can bypass authentication entirely, potentially compromising all data stored by the application. No CVSS score is published, and the EPSS score is not available, but the functionality suggests a high severity. The vulnerability is not listed in CISA KEV. Remote exploitation is straightforward via crafted HTTP requests.

Generated by OpenCVE AI on June 9, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement strict JWT signature and claim validation on the /api/social-sign-in endpoint.
  • Reject any unsigned, expired, or invalid‑issuer tokens and log such attempts.
  • Upgrade to the latest BookCars release or apply vendor patch once it becomes available; if unavailable, consider disabling the social sign-in feature and enforcing additional multi‑factor authentication.

Generated by OpenCVE AI on June 9, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Bookcars
Bookcars bookcars
Vendors & Products Bookcars
Bookcars bookcars

Tue, 09 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Insecure Authentication via Forged JWT in BookCars Social Sign-In
Weaknesses CWE-287

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description An insecure authentication vulnerability in the /api/social-sign-in endpoint of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
References

Subscriptions

Bookcars Bookcars
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T18:13:17.650Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36727

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-09T19:17:43.207

Modified: 2026-06-09T19:35:05.693

Link: CVE-2026-36727

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:23:12Z

Weaknesses