Description
LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid JWT without knowing any secret or RSA private key. This is an algorithm-confusion authentication bypass. It affects applications that load RSA keys from JWKS where alg is omitted, which is valid JWK syntax and common in real deployments, and then choose the verification algorithm from the JWT header, for example in a kid lookup callback. This vulnerability is fixed in 3.3.3.
Published: 2026-05-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibJWT, a C JSON Web Token library, incorrectly accepted an RSA JSON Web Key that lacked an "alg" property as a key for HMAC verification of HS256/HS384/HS512 tokens. The OpenSSL backend interprets the missing alg as a zero‑length key, permitting an attacker to create a valid JWT without possessing the secret or RSA private key. This algorithm‑confusion flaw enables authentication bypass and can give attackers full access to any resource that relies on JWT validation for authorization.

Affected Systems

The vulnerability affects Benmcollins libjwt versions 3.0.0 through 3.3.2. Any application that loads RSA keys from a JWKS where the algorithm is omitted and then selects the verification algorithm from the JWT header is impacted. Systems using libjwt in authentication or session handling should scrutinize their implementation for the presence of this flaw.

Risk and Exploitability

The CVSS score of 9.1 indicates a high‑severity authentication bypass. The EPSS score is not available, and the issue is not listed in CISA KEV. An attacker who can supply a forged JWT—typically via network observation or API integration—can exploit this weakness without needing privileged credentials. The likelihood of exploitation is significant in environments where libjwt is used without hard‑coded algorithm checks, and the impact can range from unauthorized user access to full system compromise depending on the application’s security model.

Generated by OpenCVE AI on May 15, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libjwt to version 3.3.3 or later, where the algorithm confusion bug has been fixed.
  • Validate the "alg" field of incoming JSON Web Keys and reject keys that omit the algorithm when used for HMAC verification.
  • Implement an explicit check that the key type (RSA, EC, etc.) matches the expected signing algorithm (HS*, RS*, ES*, etc.) before verification.
  • Consider disabling automatic algorithm selection based on the JWT header and enforce a fixed algorithm policy aligned with the secret key type.

Generated by OpenCVE AI on May 15, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Benmcollins
Benmcollins libjwt
Vendors & Products Benmcollins
Benmcollins libjwt
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid JWT without knowing any secret or RSA private key. This is an algorithm-confusion authentication bypass. It affects applications that load RSA keys from JWKS where alg is omitted, which is valid JWK syntax and common in real deployments, and then choose the verification algorithm from the JWT header, for example in a kid lookup callback. This vulnerability is fixed in 3.3.3.
Title LibJWT: Algorithm confusion allows JWT forgery with RSA JWK as empty-key HMAC
Weaknesses CWE-327
CWE-347
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Benmcollins Libjwt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:04:58.082Z

Reserved: 2026-05-07T17:07:09.316Z

Link: CVE-2026-44699

cve-icon Vulnrichment

Updated: 2026-05-15T18:01:05.454Z

cve-icon NVD

Status : Received

Published: 2026-05-15T17:16:47.783

Modified: 2026-05-15T19:17:00.467

Link: CVE-2026-44699

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T18:00:05Z

Weaknesses