Description
nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response. This vulnerability is fixed in 6.2.3 and 5.4.31.
Published: 2026-05-26
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the v1 access token introspection endpoint accepts any JWT signed by a key available on the node, without validating the JWT type, issuer‑to‑key binding, or required claims. This logic flaw allows an attacker to replay a Verifiable Presentation (VP) JWT as if it were an access token, causing the introspection API to return an active:true response and effectively bypassing authentication checks. The result is an unauthorized use of the token, potentially granting the attacker access to services that require a valid access token.

Affected Systems

The issue affects the nuts-node implementation of the Nuts specification, specifically versions prior to 6.2.3 and 5.4.31. The vulnerable endpoint is /auth/v1/introspect_access_token, which is part of the public API for token introspection.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, and no EPSS data is available, while the vulnerability is not listed in CISA KEV. Exploitation is likely remote, requiring only the possession or crafting of a VP JWT signed by a key recognized by the node. Once such a token is replayed, the introspection service will report it as valid, enabling the attacker to gain unauthorized access. The lack of current exploitation reports and the moderate CVSS suggest a moderate but non‑negligible risk for deployments that rely on this endpoint.

Generated by OpenCVE AI on May 26, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nuts-node to version 6.2.3 or 5.4.31, which includes the fix for the JWT type validation
  • If an upgrade cannot be performed immediately, add server‑side validation to the /auth/v1/introspect_access_token endpoint to enforce the expected JWT type, require issuer‑to‑key binding and required claims, and reject any VP JWTs
  • Rotate or revoke any compromised signing keys and implement monitoring for unexpected introspection responses that indicate replayed VP JWTs

Generated by OpenCVE AI on May 26, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9hmg-827w-9rhj nuts-node has JWT type confusion in v1 access token introspection that allows VP replay as access token
History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Nuts-foundation
Nuts-foundation nuts-node
Vendors & Products Nuts-foundation
Nuts-foundation nuts-node

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response. This vulnerability is fixed in 6.2.3 and 5.4.31.
Title nuts-node: JWT type confusion in v1 access token introspection allows VP replay as access token
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Nuts-foundation Nuts-node
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:24:40.295Z

Reserved: 2026-04-17T16:34:45.525Z

Link: CVE-2026-41164

cve-icon Vulnrichment

Updated: 2026-05-27T17:24:36.457Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T18:16:47.683

Modified: 2026-06-17T10:46:15.657

Link: CVE-2026-41164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:08:48Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity