CVE-2026-44699
CRITICALLibJWT: Algorithm confusion allows JWT forgery with RSA JWK as empty-key HMAC
Title source: cnaDescription
LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid JWT without knowing any secret or RSA private key. This is an algorithm-confusion authentication bypass. It affects applications that load RSA keys from JWKS where alg is omitted, which is valid JWK syntax and common in real deployments, and then choose the verification algorithm from the JWT header, for example in a kid lookup callback. This vulnerability is fixed in 3.3.3.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/benmcollins/libjwt/security/advisories/GHSA-q843-6q5f-w55g
Scores
CVSS v4
9.1
EPSS
0.0021
EPSS Percentile
11.0%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-327
CWE-347
Status
published
Products (1)
benmcollins/libjwt
>= 3.0.0, < 3.3.3
Published
May 15, 2026
Tracked Since
May 15, 2026