🚨 BREAKING

CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-287cwe-326cwe-1391
CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key

The National Vulnerability Database has detailed CVE-2026-44351, a critical authentication bypass vulnerability in fast-jwt, a popular JSON Web Token (JWT) implementation. Prior to version 6.2.4, a flaw in the fast-jwt asynchronous key-resolver flow allows unauthenticated attackers to forge arbitrary JWTs that are accepted as legitimate. This vulnerability is rated 9.1 CVSS (CRITICAL).

The exploit hinges on how fast-jwt handles an empty string ('') returned by the key resolver, a common scenario in JWKS-style fallbacks when a kid (key ID) is not found. Instead of rejecting this, fast-jwt converts the empty string into a zero-length Buffer, which crypto.createSecretKey then uses to derive allowed algorithms like HS256, HS384, and HS512. The token’s signature is subsequently verified against an HMAC with an empty key. Attackers can easily compute HMAC-SHA256(key='', input='${header}.${payload}'), which Node.js accepts, allowing them to inject arbitrary payloads (e.g., sub, admin, scopes) that the verifier deems authentic.

This vulnerability fundamentally undermines the integrity of JWT-based authentication. Any application using fast-jwt with an async key-resolver that might return an empty string is at severe risk. The fix is available in fast-jwt version 6.2.4. Defenders must prioritize patching to prevent complete authentication bypass and unauthorized access to protected resources.

What This Means For You

  • If your application relies on `fast-jwt` for authentication, immediately verify its version. If it's prior to 6.2.4, you are vulnerable to complete authentication bypass. Patch to `fast-jwt` 6.2.4 without delay and review your key-resolver logic to ensure it never returns an empty string or null for unknown key IDs. Assume any unpatched system is compromised and audit logs for suspicious JWT activity.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1552.006 SSH Keys Credential Access T1078.004 Web Shells Initial Access

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-44351

Sigma YAML — free preview 
title: Web Application Exploitation Attempt — CVE-2026-44351
id: scw-2026-05-13-1
status: experimental
level: high
description: |
  Detects common exploitation patterns targeting web applications. Review CVE-2026-44351 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44351/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
        - '..'
        - 'SELECT'
        - 'UNION'
        - '<script'
        - 'cmd='
        - '/etc/passwd'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-44351

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44351 Auth Bypass fast-jwt versions prior to 6.2.4
CVE-2026-44351 Auth Bypass fast-jwt async key-resolver flow
CVE-2026-44351 Auth Bypass Key resolver returning an empty string ('') leading to HMAC verification with an empty key

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CubeCart CVE-2026-45714: Authenticated RCE Via Template Injection

CVE-2026-45714 — CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including...

vulnerabilityCVEcriticalhigh-severitycwe-94cwe-1336
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 5 IOCs /⚙ 7 Sigma

CubeCart RCE (CVE-2026-45708) Allows Unauthenticated Remote Code Execution

CVE-2026-45708 — CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma

Quark Drive Mass Assignment Flaw Grants Admin Takeover

CVE-2026-45229 — Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by...

vulnerabilityCVEhigh-severitycwe-915
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma