GHSA-gmvf-9v4p-v8jc: fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
Summary
A critical authentication bypass vulnerability in the `fast-jwt` library allows attackers to forge valid JSON Web Tokens (JWTs, a standard format for securely transmitting user information) when an asynchronous key resolver function returns an empty string. The library incorrectly accepts an empty HMAC (a cryptographic signature method) secret and allows attackers to compute valid signatures with the empty key, bypassing authentication entirely on versions up to 6.2.3.
Vulnerability Details
EPSS: 0.0%
Yes
May 6, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-gmvf-9v4p-v8jc
First tracked: May 6, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%