CVE Catalog

CVE-2026-25554

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile - higher than 24% of all known CVEs

Summary

The auth_jwt module in OpenSIPS versions 3.1 before 3.6.4 contains a SQL injection vulnerability in the jwt_db_authorize() function. An attacker can send a crafted JWT with a malicious tag claim that is directly incorporated into a SQL query without sanitization, allowing bypass of JWT authentication and impersonation of arbitrary identities.

Risk Assessment

The risk is a complete bypass of JWT authentication, enabling an attacker to impersonate any user and gain unauthorized access to protected resources.

Recommendation

Upgrade OpenSIPS to version 3.6.4 or later, which includes the fix (commit 3822d33). If upgrading is not possible, temporarily disable the auth_jwt module or the database backend in db_mode.

Original NVD description (English source)

OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS