Improper Authentication in fast-jwt | CVE-2026-44351

Q: How to fix?

Upgrade fast-jwt to version 6.2.4 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-FASTJWT-16439016
published7 May 2026
disclosed6 May 2026
creditbhaswanthc

Report a new vulnerability Found a mistake?

Introduced: 6 May 2026

NewCVE-2026-44351 (opens in a new tab) CWE-1391 (opens in a new tab) CWE-326 (opens in a new tab)

How to fix?

Upgrade fast-jwt to version 6.2.4 or higher.

Overview

fast-jwt is a Fast JSON Web Token implementation

Affected versions of this package are vulnerable to Improper Authentication in the async key resolver when it returns an empty string or zero-length buffer. An attacker can gain unauthorized access and assume arbitrary identities by forging JWTs signed with an empty secret, which are then accepted as valid tokens.

Note: This is only exploitable if the application uses an asynchronous callback for key resolution and the callback can return an empty string or zero-length buffer, while HMAC algorithms are allowed (default configuration).

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Authentication Affecting fast-jwt package, versions <6.2.4

Severity