JSON Web Tokens not properly verified
Description
Common before commit 3b96cb0 did not verify JWT signatures, allowing attackers to forge tokens and bypass authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Common before commit 3b96cb0 did not verify JWT signatures, allowing attackers to forge tokens and bypass authentication.
Vulnerability
The common package before commit 3b96cb0 did not properly verify the signature of JSON Web Tokens (JWTs). The validateToken method in ValidationUtil.java used Jwts.parser().parse() or Jwts.parser().parseJws() instead of Jwts.parser().parseClaimsJws(), which does not validate the token's signature [2][3][4]. This affects all versions prior to the fix. The code path is reachable by any service using the common library to authenticate users via JWTs.
Exploitation
An attacker with network access to a service that uses the vulnerable library can forge a valid JWT by crafting arbitrary claims and signing it with any key (or omitting the signature entirely). The attacker then presents this forged token to the service. Because the validateToken method does not verify the signature, the token is accepted as legitimate [2]. No prior authentication or special privileges are required.
Impact
Successful exploitation allows an attacker to bypass authentication entirely. The attacker can impersonate any user or role by embedding arbitrary claims (e.g., sub, roles) in the forged JWT. This can lead to unauthorized access to protected resources, data disclosure, or privilege escalation, depending on how the application uses JWT claims [2].
Mitigation
The vulnerability is patched in commit 3b96cb0 and later commits 12197a7 and a59ad46 on the master branch [1][2][3][4]. The fix replaces the insecure parse or parseJws call with parseClaimsJws, which verifies the JWT signature. As a workaround, developers can manually use Jwts.parser().setSigningKey(publicKey).parseClaimsJws(token) instead of parse in their own code [2]. No KEV listing is mentioned in the available references.
- Merge pull request #81 from nimble-platform/staging · nimble-platform/common@3b96cb0
- JSON Web Tokens not properly verified
- Use parseClaimsJws method instead of parseJws · nimble-platform/common@a59ad46
- Fixed JWT validation according to https://github.com/nimble-platform/… · nimble-platform/common@12197a7
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < 3b96cb0293d3443b870351945f41d7d55cb34b53
- nimble-platform/commonv5Range: < 3b96cb0293d3443b870351945f41d7d55cb34b53
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The JWT parser used the `parse` method which does not verify the token's signature, allowing forged tokens to be accepted."
Attack vector
An attacker can forge a valid JSON Web Token because the application's `parse` method does not verify the JWT signature [ref_id=2]. By crafting a JWT with arbitrary claims and any signature (or none), the attacker can present it to the service, which will accept it as legitimate. This allows the attacker to impersonate any user or gain unauthorized access to protected endpoints, leading to authentication bypass [ref_id=2].
Affected code
The vulnerability resides in the JWT parsing logic within `utility/src/main/java/eu/nimble/utility/validation/ValidationUtil.java` [ref_id=2]. The advisory states that the `parse` method was used instead of `parseClaimsJws`, meaning the JWT signature was never verified [ref_id=2].
What the fix does
The patch (commit `3b96cb0`) does not directly show the JWT verification fix in the diff provided; the diff instead introduces a `DynamicName` interface unrelated to JWT handling [ref_id=1]. However, the advisory explains that the fix involves replacing the `parse` method call with `parseClaimsJws`, which properly validates the JWT signature [ref_id=2]. This change ensures that tokens with forged or missing signatures are rejected, closing the authentication bypass.
Preconditions
- networkThe attacker must be able to send HTTP requests to a service that uses the vulnerable `common` library to parse JWTs.
- configThe service must use the `parse` method (instead of `parseClaimsJws`) to process incoming JWTs.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/nimble-platform/common/commit/12197a755bd524559bf4e16475595a2c6fcd34dbmitrex_refsource_MISC
- github.com/nimble-platform/common/commit/3b96cb0293d3443b870351945f41d7d55cb34b53mitrex_refsource_MISC
- github.com/nimble-platform/common/commit/a59ad46733912a5580530e39cac0e6ebc83cc563mitrex_refsource_MISC
- github.com/nimble-platform/common/security/advisories/GHSA-fjq8-896w-pv28mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.