Access Restriction Bypass in jwt-go Library
CVE-2020-26160
7.5HIGH
What is CVE-2020-26160?
A vulnerability exists in the jwt-go library prior to version 4.0.0-preview1 that allows attackers to bypass intended access restrictions. This occurs when the audience parameter ('aud') is defined as an empty slice, resulting in a type assertion failure that defaults the value of 'aud' to an empty string. Consequently, if a JWT token with this flaw is presented to a service that does not perform its own audience validation, an attacker may gain unauthorized access to sensitive resources.