JSON Web Token Signature Bypass via Unvalidated jwk Parameter

high Web App Scanning Plugin ID 115301

Synopsis

JSON Web Token Signature Bypass via Unvalidated jwk Parameter

Description

JSON Web Tokens can be signed to protect against data tampering. The 'jwk' (JSON Web Key) header parameter can embed the public key that must be used to verify the token signature.

When the application trusts the key embedded in the 'jwk' header instead of a key it controls, an attacker can embed their own public key in the token header and sign a forged token with the matching private key, which will be accepted by the application.

Depending on the token usage, attackers could leverage this vulnerability to forge valid tokens and impersonate other users, or gain further privileges.

Solution

Ensure that the application validates every JSON Web Token against a trusted key it controls. Header parameters that influence key resolution (kid, jwk, jku, x5u, x5c) must never be trusted as-is: pin verification to a known key or a strict allow-list, reject tokens whose header selects an unexpected key, and sanitize any value used to look up or load a key.

See Also

https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries

https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

https://portswigger.net/web-security/jwt

https://research.securitum.com/jwt-json-web-token-security/

Plugin Details

Severity: High

ID: 115301

Type: Check Based

Published: 7/17/2026

Updated: 7/17/2026

Scan Template: api, basic, full, mcp, pci, scan

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information