Improper Token Validation Flaw in fast-jwt Library by NearForm
CVE-2026-35039

9.1CRITICAL

Key Information:

Vendor: Nearform
Status: Fast-jwt
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35039?

The fast-jwt library, widely used for implementing JSON Web Tokens, has a vulnerability that arises when a custom cacheKeyBuilder method improperly creates unique keys for different tokens. This flaw can result in cache collisions, leading to the risk of token misidentification during the verification process. Consequently, claims from one valid token might erroneously be associated with another user, causing users to be misidentified based on incorrect token validation. This could have serious implications for the security of applications utilizing the affected versions of fast-jwt.

Affected Version(s)

fast-jwt >= 0.0.1, < 6.1.0

References

https://github.com/nearform/fast-jwt/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-35039 Data

JSON

Nearform

What is CVE-2026-35039?

Affected Version(s)

References

CVSS V3.1

Timeline