5 matches found
CVE-2026-6911
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...
CVE-2026-33746
Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...
CVE-2026-33322
CVE-2026-33322 (MinIO) is a JWT algorithm confusion vulnerability in MinIO’s OpenID Connect authentication. From RELEASE.2022-11-08T05-27-07Z up to but not including RELEASE.2026-03-17T21-25-16Z, an attacker who knows the OIDC ClientSecret can forge arbitrary identity tokens and obtain S3 credent...
PT-2026-23074
Name of the Vulnerable Software and Affected Versions pac4j-jwt versions prior to 4.5.9 pac4j-jwt versions prior to 5.7.9 pac4j-jwt versions prior to 6.3.3 Description An authentication bypass exists in the JwtAuthenticator component when processing encrypted JSON Web Tokens JWTs. Remote attacker...
pac4j-jwt 数据伪造问题漏洞
pac4j-jwt is an JWT authentication module developed by pac4j as open source. Versions of pac4j-jwt prior to 4.5.9, 5.7.9, and 6.3.3 contained a data manipulation vulnerability. This vulnerability stems from the JwtAuthenticator’s inability to properly handle encrypted JWTs, leading to an...