Medium severity4.4GHSA Advisory· Published May 26, 2026· Updated May 26, 2026
CVE-2026-41164
CVE-2026-41164
Description
nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response. This vulnerability is fixed in 6.2.3 and 5.4.31.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/nuts-foundation/nuts-nodeGo | <= 1.1.0 | — |
Affected products
2- Range: <= 1.1.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-9hmg-827w-9rhjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41164ghsaADVISORY
- github.com/nuts-foundation/nuts-node/releases/tag/v5.4.31ghsaWEB
- github.com/nuts-foundation/nuts-node/releases/tag/v6.2.3ghsaWEB
- github.com/nuts-foundation/nuts-node/security/advisories/GHSA-9hmg-827w-9rhjnvdWEB
News mentions
0No linked articles in our index yet.