Home

Description

OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.

PUBLISHED Reserved 2026-02-02 | Published 2026-02-25 | Updated 2026-02-25 | Assigner VulnCheck




HIGH: 8.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

3.1 (semver) before 3.6.4
affected

Credits

Pavel Kohout, Aisle Reserach, www.aisle.com finder

References

opensips.org/pub/opensips/3.6.4/ChangeLog release-notes

github.com/OpenSIPS/opensips/pull/3807 issue-tracking

github.com/...ommit/3822d33c1c6b25832fdd88da1d23eed74be55b05 patch

opensips.org/ product

www.vulncheck.com/...ction-enables-jwt-authentication-bypass third-party-advisory

cve.org (CVE-2026-25554)

nvd.nist.gov (CVE-2026-25554)

Download JSON