JSON Web Token Signature Bypass via kid SQL Injection

high Web App Scanning Plugin ID 115299

Synopsis

JSON Web Token Signature Bypass via kid SQL Injection

Description

JSON Web Tokens can be signed to protect against data tampering. The 'kid' (Key ID) header parameter is commonly used by applications to look up the key that must be used to verify the token signature.

When the 'kid' value is concatenated into a SQL query without proper sanitization, an attacker can inject a payload that forces the key lookup to return a value they control. The attacker can then sign a forged token with that value, which will be accepted by the application.

Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

Solution

Ensure that the application validates every JSON Web Token against a trusted key it controls. Header parameters that influence key resolution (kid, jwk, jku, x5u, x5c) must never be trusted as-is: pin verification to a known key or a strict allow-list, reject tokens whose header selects an unexpected key, and sanitize any value used to look up or load a key.

See Also

https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries

https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

https://portswigger.net/web-security/jwt

https://research.securitum.com/jwt-json-web-token-security/

Plugin Details

Severity: High

ID: 115299

Type: Check Based

Published: 7/17/2026

Updated: 7/17/2026

Scan Template: api, basic, full, mcp, pci, scan

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information