Authentication with JWT allows use of “none”-algorithm
Description
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Pulsar JWT authentication tokens accepted with algorithm 'none', allowing remote impersonation of any user.
Vulnerability
CVE-2021-22160 affects Apache Pulsar instances that use JWT-based token authentication. The JWT library did not validate the signature when the token's algorithm header was set to 'none'. This is a known weakness in JWT implementations where the library trusts the algorithm indicated in the token itself. Versions prior to 2.7.2 are affected. [1][2]
Exploitation
An attacker with network access to a Pulsar broker can craft a JWT token with the algorithm set to 'none', a blank signature, and any desired claims (e.g., user or admin role). No prior authentication or valid credentials are required. The broker's authentication check will accept the forged token as valid, granting the attacker the privileges associated with the forged identity. [1]
Impact
Successful exploitation allows an attacker to connect to Pulsar as any user, including administrative accounts. This can lead to full compromise of the Pulsar instance: unauthorized access to topics, reading or writing messages, and modifying cluster configuration. The attack completely bypasses the intended authentication mechanism. [1]
Mitigation
The fix was released in Apache Pulsar version 2.7.2 on 2021-05-26. Users should upgrade to this version or later. [2] The fix enforces that the JWT signature algorithm must be validated against the expected key. No workaround is available for older versions; upgrading is the only recommended mitigation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsarMaven | < 2.7.2 | 2.7.2 |
Affected products
2- Range: Apache Pulsar
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- github.com/advisories/GHSA-3cv4-xxv7-934qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22160ghsaADVISORY
- github.com/apache/pulsar/releases/tag/v2.7.2ghsaWEB
- lists.apache.org/thread.html/r08c7df60cae031361df7fbac39d08b6d5b5079e74db5195d409db9a2@%3Cdev.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cusers.pulsar.apache.org%3Eghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da%40%3Cdev.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8e545559781231a83bf0644548c660255859e52feb86bbfcd42590da@%3Cdev.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9a12b4da2f26ce9b8f7e7117a879efaa973dab7e54717bbc7923fab1%40%3Cdev.pulsar.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cdev.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550%40%3Cusers.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550@%3Cdev.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra49cb62105154e4795b259c79a6b27d63bfa2ab5787ff8529b089550@%3Cusers.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84%40%3Cdev.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbe845aa1573a61769b9c5916c62971f4b10de87c2ea5f38a97f0cf84@%3Cdev.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df%40%3Cdev.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rca54f4b26ba5e6f2e39732b47ec51640e89f57e3b6a38ac3bab314df@%3Cdev.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/re2ae364e0c02093dc721699698c6f23cfbba0220c78b5e28cafeae81@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5%40%3Cdev.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf2e90942996dceebac8296abf39257cfeb5ae918f82f7af3d37a48c5@%3Cdev.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf54fefc25c49d4715d484133d438f13bf2e515a5fed5d3a745d4f6e7@%3Ccommits.pulsar.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.