CVE-2026-35039

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-35039
fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. Version 6.2.0 contains a patch.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb Patch
https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*
History

22 Apr 2026, 19:05

Type Values Removed Values Added
First Time Nearform fast-jwt
Nearform
References () https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb - () https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb - Patch
References () https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg - () https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg - Mitigation, Vendor Advisory
CPE cpe:2.3:a:nearform:fast-jwt:*:*:*:*:*:node.js:*:*

08 Apr 2026, 12:16

Type Values Removed Values Added
References
  • () https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb -
Summary (en) fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.1.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. (en) fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. Version 6.2.0 contains a patch.

06 Apr 2026, 17:17

Type Values Removed Values Added
New CVE
Information

Published : 2026-04-06 17:17

Updated : 2026-04-22 19:05

NVD link : CVE-2026-35039

Mitre link : CVE-2026-35039

CVE.ORG link : CVE-2026-35039

JSON object : View

Products Affected

nearform

  • fast-jwt
CWE
CWE-345

Insufficient Verification of Data Authenticity

CWE-706

Use of Incorrectly-Resolved Name or Reference

CWE-1289

Improper Validation of Unsafe Equivalence in Input