Input Validation Flaw in fast-jwt by NearForm
CVE-2026-34950

9.1CRITICAL

Key Information:

Vendor: Nearform
Status: Fast-jwt
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34950?

The fast-jwt library, utilized for its efficient JSON Web Token (JWT) implementation, contains a vulnerability in versions up to 6.1.0. The issue resides within the publicKeyPemMatcher regex in the crypto.js file, which fails to properly validate the key string due to a ^ anchor being circumvented by any leading whitespace. This flaw reopens risks associated with JWT algorithm confusion attacks, similar to those previously addressed in another CVE. Developers using this library must update to a more secure version to mitigate potential exploitation.

Affected Version(s)

fast-jwt <= 6.1.0

References

https://github.com/nearform/fast-jwt/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34950 Data

JSON

Nearform

What is CVE-2026-34950?

Affected Version(s)

References

CVSS V3.1

Timeline