Description
Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.
Published: 2026-06-29
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Strapi users-permissions plugin does not enforce a mandatory JWT algorithm configuration when plugin::users-permissions.jwt.algorithm is absent, allowing the use of HMAC SHA-384 (HS384) and HMAC SHA-512 (HS512) tokens in addition to the expected HS256. An attacker who has access to the jwtSecret can generate tokens signed with these weaker or non‑standard algorithms and present them to the application, thereby bypassing authentication and gaining access without proper verification. This vulnerability directly undermines the integrity of the authentication process and can lead to unauthorized access to protected resources.

Affected Systems

The issue is confined to the Strapi application, specifically the users-permissions plugin. No specific version information is provided in the data; therefore, any deployment that has not applied known fixes may be vulnerable. The Strapi vendor is responsible for addressing the issue in future releases.

Risk and Exploitability

With a CVSS score of 6.3, the vulnerability is considered moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers need possession of the jwtSecret to construct malicious tokens, so the exploitation likelihood depends on successful secret compromise or misconfiguration. If an attacker gains that secret, the forgery of valid tokens is straightforward and requires no additional access privileges.

Generated by OpenCVE AI on June 29, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Strapi to the latest version that includes the fix for JWT algorithm confusion in the users‑permissions plugin.
  • Configure plugin::users-permissions.jwt.algorithm explicitly to a secure algorithm such as HS256 in the Strapi configuration file to prevent the acceptance of weaker algorithms.
  • Ensure the jwtSecret is stored securely, rotate it if exposure is suspected, and restrict access to the configuration to trusted personnel.

Generated by OpenCVE AI on June 29, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.
Title Strapi users-permissions - JWT Algorithm Confusion via Missing Algorithm Configuration
First Time appeared Strapi
Strapi strapi
Weaknesses CWE-327
CPEs cpe:2.3:a:strapi:strapi:*:*:*:*:*:node.js:*:*
Vendors & Products Strapi
Strapi strapi
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Strapi Strapi
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T21:16:35.174Z

Reserved: 2026-06-26T17:58:05.796Z

Link: CVE-2026-57997

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T22:30:05Z

Weaknesses
  • CWE-327

    Use of a Broken or Risky Cryptographic Algorithm