Algorithm Confusion in LibJWT for RSA JWKs Without alg Parameter
CVE-2026-44699

9.1CRITICAL

Key Information:

Vendor: Benmcollins
Status: Libjwt
Vendor: CVE Published:; 15 May 2026

🔔 Create Benmcollins Vulnerability Alert

What is CVE-2026-44699?

LibJWT, a C library for handling JSON Web Tokens, is vulnerable from versions 3.0.0 to 3.3.2. It accepts an RSA JSON Web Key (JWK) that lacks an 'alg' parameter, which can lead to an authentication bypass through algorithm confusion. This flaw allows attackers to forge valid JWTs without requiring access to a secret or RSA private key. The issue arises during HMAC verification when a zero-length key is unintentionally used, resulting in potential exploitation in applications that load RSA keys from JWKS with omitted 'alg' parameters. The vulnerability has been addressed in version 3.3.3.

Affected Version(s)

libjwt >= 3.0.0, < 3.3.3

References

https://github.com/benmcollins/libjwt/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44699 Data

JSON