{"data":{"id":"e3bd5b14-0706-4956-8b55-5cd4b8dade6d","title":"GHSA-gmvf-9v4p-v8jc: fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver","summary":"A critical authentication bypass vulnerability in the `fast-jwt` library allows attackers to forge valid JSON Web Tokens (JWTs, a standard format for securely transmitting user information) when an asynchronous key resolver function returns an empty string. The library incorrectly accepts an empty HMAC (a cryptographic signature method) secret and allows attackers to compute valid signatures with the empty key, bypassing authentication entirely on versions up to 6.2.3.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-gmvf-9v4p-v8jc","publishedAt":"2026-05-06T22:26:37.000Z","cveId":"CVE-2026-44351","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["other"],"issueType":"vulnerability","affectedPackages":["fast-jwt@<= 6.2.3 (fixed: 6.2.4)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["fast-jwt"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-06T22:26:37.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}