CVE-2026-44351— fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44351
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string (''), for example via the common keys[decoded.header.kid] || '' JWKS-style fallback, fast-jwt converts it to a zero-length Buffer, hands it to crypto.createSecretKey, derives allowedAlgorithms = ['HS256','HS384','HS512'] from it, and then verifies the token's signature against an empty-key HMAC. The attacker simply computes HMAC-SHA256(key='', input='${header}.${payload}'), which Node accepts without complaint — and the verifier returns the attacker-chosen payload (sub, admin, scopes, etc.) as authentic. This vulnerability is fixed in 6.2.4.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
fast-jwt 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
fast-jwt是Nearform开源的一个 JSON Web Token 实现。 fast-jwt 6.2.4之前版本存在授权问题漏洞,该漏洞源于异步密钥解析流程中的关键身份验证绕过漏洞,允许未经身份验证的攻击者伪造任意JWT令牌。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44351
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44351
请登录查看更多情报信息。
- https://github.com/nearform/fast-jwt/security/advisories/GHSA-gmvf-9v4p-v8jcx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44351
IV. Related Vulnerabilities
Same product: fast-jwt
- CVE-2026-35041
ReDoS in fast-jwt when using RegExp in allowed* leading to C - CVE-2026-35040
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministi - CVE-2026-35042
fast-jwt accepts unknown `crit` header extensions (RFC 7515 - CVE-2026-35039
fast-jwt Affected by Cache Confusion via cacheKeyBuilder Col - CVE-2026-34950
fast-jwt has an incomplete fix for CVE-2023-48223: JWT Algor
Same vendor: nearform
- CVE-2026-35041
ReDoS in fast-jwt when using RegExp in allowed* leading to C - CVE-2026-35040
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministi - CVE-2026-35042
fast-jwt accepts unknown `crit` header extensions (RFC 7515 - CVE-2026-35039
fast-jwt Affected by Cache Confusion via cacheKeyBuilder Col - CVE-2026-34950
fast-jwt has an incomplete fix for CVE-2023-48223: JWT Algor
Same weakness: CWE-287
- CVE-2026-44551
Open WebUI: LDAP Empty Password Authentication Bypass - CVE-2026-5229
Receive Notifications After Form Submitting – Form Notify fo - CVE-2026-8621
Crabbox < v0.12.0 Authentication Bypass via Header Spoofing - CVE-2026-20182
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulne - CVE-2026-8181
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to
V. Comments for CVE-2026-44351
No comments yet