Description
Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.
Published: 2026-06-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Perry web framework implements JWT verification by using a helper that unconditionally sets validate_exp to false, effectively disabling the standard expiration check (CWE‑613). Attackers possessing a previously issued bearer token can present that expired token to any jwt.verify() call, and the framework will accept it as valid, giving the attacker continuous authenticated access even after logout or administrative revocation. This remote authentication bypass allows malicious persistence within the system, essentially granting unauthorized access over time.

Affected Systems

The vulnerability affects all releases of Perry prior to version 0.5.1166. Any installation of Perry older than that revision is vulnerable because the verify_decode function incorrectly permits expired tokens. The flaw is present across all environments where Perry is deployed, as it stems from the core JWT handling logic.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity with remote access and authentication impact, while the EPSS score of less than 1% suggests limited proof of exploitation in the wild. Because the vendor has not listed the flaw in the CISA KEV catalog, operators may be unaware of its presence. Attackers only need possession of a valid bearer token to exploit the flaw, making the attack surface broad and the exploitation path straightforward. The resulting authentication bypass enables attackers to continue using stale tokens, effectively undermining session revocation mechanisms.

Generated by OpenCVE AI on June 17, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Perry to version 0.5.1166 or later to receive the fix.
  • If an upgrade is not immediately possible, temporarily enforce token expiration checks by manually setting validate_exp to true or implementing a custom verification layer that rejects expired tokens.
  • After applying the fix, rotate all existing JWT secrets and invalidate any previously issued tokens to ensure old sessions cannot be reused.

Generated by OpenCVE AI on June 17, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Perryts
Perryts perry
Vendors & Products Perryts
Perryts perry

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.
Title Perry < 0.5.1166 JWT Expiration Bypass via verify_decode
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-16T17:10:04.656Z

Reserved: 2026-06-10T20:14:32.825Z

Link: CVE-2026-53776

cve-icon Vulnrichment

Updated: 2026-06-16T17:09:31.535Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T17:16:42.620

Modified: 2026-06-16T17:36:59.703

Link: CVE-2026-53776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:45:02Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration