Authentication Bypass in Fast-JWT by NearForm
CVE-2026-44351

9.1CRITICAL

Key Information:

Vendor: Nearform
Status: Fast-jwt
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44351?

Fast-jwt, a library providing a lightweight implementation of JSON Web Tokens (JWTs), has a vulnerability in its async key-resolver flow prior to version 6.2.4. This flaw allows unauthenticated attackers to forge arbitrary JWTs, which are then accepted as valid by the application. The issue arises when the key resolver returns an empty string, leading to the generation of a zero-length Buffer used in the HMAC signing process. An attacker is able to compute a signature that the application verifies successfully, thereby gaining illegitimate access by crafting a token with malicious payloads. Version 6.2.4 addresses this significant security concern.

Affected Version(s)

fast-jwt < 6.2.4

References

https://github.com/nearform/fast-jwt/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44351 Data

JSON

Nearform

What is CVE-2026-44351?

Affected Version(s)

References

CVSS V3.1

Timeline