JWT Algorithm Restriction Issue in Strapi Users-Permissions Plugin
CVE-2026-57997

6.3MEDIUM

Key Information:

Vendor

Strapi

Status
Strapi
Vendor
CVE Published:
29 June 2026

What is CVE-2026-57997?

The Strapi users-permissions plugin has a security flaw related to the configuration of JWT algorithms. When the jwt.algorithm parameter is not explicitly set, the plugin permits a broader range of algorithm tokens, including HS384 and HS512, alongside the standard HS256. This introduces a risk for attackers who possess the jwtSecret, enabling them to create tokens with non-standard HMAC variants. Such actions can allow them to bypass algorithm restrictions, ultimately compromising authentication mechanisms and increasing vulnerability to unauthorized access.

Affected Version(s)

strapi 0 < 5.7.0

References

https://github.com/strapi/strapi/issues/26587
issue-tracking
https://github.com/strapi/strapi/pull/26752
patch
https://github.com/strapi/strapi
product

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

BL4CK570RM
.