Access Token Introspection Vulnerability in Nuts-node by Nuts Foundation
CVE-2026-41164

4.4MEDIUM

Key Information:

Vendor: Nuts-foundation
Status: Nuts-node
Vendor: CVE Published:; 26 May 2026

🔔 Create Nuts-foundation Vulnerability Alert

What is CVE-2026-41164?

The nuts-node implementation of the Nuts specification prior to versions 6.2.3 and 5.4.31 contains a vulnerability in the v1 access token introspection endpoint. This endpoint accepts any JSON Web Token (JWT) signed by a key on the node without proper validation of the JWT type, issuer-key binding, or necessary claims. As a result, a Verifiable Presentation (VP) JWT can be maliciously replayed as an access token, leading to unverified access and authorization outcomes. This security issue has been addressed in the specified updated versions.

Affected Version(s)

nuts-node >= 6.0.0-alpha.1, < 6.2.3 < 6.0.0-alpha.1, 6.2.3

nuts-node < 5.4.31 < 5.4.31

References

https://github.com/nuts-foundation/nuts-node/security/adv...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41164 Data

JSON