CVE-2026-36727
Description
BookCars v8.3 allows authentication bypass via forged JWT tokens on the /api/social-sign-in endpoint, enabling account takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BookCars v8.3 allows authentication bypass via forged JWT tokens on the /api/social-sign-in endpoint, enabling account takeover.
Vulnerability
An insecure authentication vulnerability exists in BookCars versions up to and including v8.3. The /api/social-sign-in endpoint improperly validates JWT access tokens from social sign-in providers. This allows attackers to forge arbitrary JWT tokens and authenticate as any user [1].
Exploitation
An attacker can forge a JWT token with a JSON payload containing arbitrary user details and base64-encode it. This forged token can then be sent to the /api/social-sign-in endpoint to authenticate as the targeted user without needing valid credentials or tokens from legitimate OAuth providers [1].
Impact
Successful exploitation allows an unauthenticated attacker to bypass authentication and gain complete account takeover of any user account that utilizes the social sign-in flow. This grants the attacker the same privileges and access as the compromised user [1].
Mitigation
Mitigations include implementing proper JWT signature verification using the provider's public keys, validating tokens against the social provider's token validation endpoints, implementing token expiration checks, and adding rate limiting to the authentication endpoint. A fixed version is not yet disclosed in the available references [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The system improperly validates JWT tokens by only parsing their structure instead of verifying their cryptographic signatures."
Attack vector
An attacker can exploit this vulnerability by crafting a forged JWT token. This token can then be sent to the `/api/social-sign-in` endpoint. The application will incorrectly validate this forged token, allowing the attacker to authenticate as any user without valid credentials or access from legitimate social providers [ref_id=1]. This bypasses the intended authentication flow for social sign-in methods like Facebook and Apple [ref_id=1].
Affected code
The vulnerability resides in the `validateAccessToken` function within `/backend/src/utils/authHelper.ts`. This function fails to perform cryptographic signature verification for JWT tokens. Specifically, for Facebook authentication, it only parses the token, and for Apple, it only checks if the decoded email matches the provided email. The `parseJwt` function in the same file simply base64-decodes the JWT payload without signature validation [ref_id=1].
What the fix does
The advisory recommends implementing proper JWT signature verification using the provider's public keys and validating tokens against the social provider's token validation endpoints. Additionally, it suggests implementing token expiration checks and rate limiting to prevent brute-force attacks on the authentication endpoint. These measures would ensure that only legitimately issued and signed JWTs are accepted, thereby closing the vulnerability [ref_id=1].
Preconditions
- inputThe attacker needs to provide a forged JWT token in the request payload.
- configThe application must be running BookCars version 8.3 or earlier.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.