CVE-2026-25554
SQL Injection in OpenSIPS auth_jwt Module Enables Authentication Bypass
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensips | opensips | 3.6.4 |
| opensips | opensips | to 3.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25554 is a SQL injection vulnerability in the auth_jwt module of OpenSIPS versions 3.1 before 3.6.4. The vulnerability occurs in the jwt_db_authorize() function, which extracts the 'tag' claim from a JSON Web Token (JWT) without verifying the token's signature. This unescaped 'tag' claim is then directly inserted into a SQL query, allowing an attacker to inject malicious SQL code."}, {'type': 'paragraph', 'content': "An attacker can craft a malicious JWT containing a SQL injection payload in the 'tag' claim to manipulate the SQL query. This manipulation allows the attacker to inject a secret they control into the query result, which is then used to verify the JWT signature. As a result, the attacker can sign their token with this known secret and bypass authentication, impersonating arbitrary identities."}, {'type': 'paragraph', 'content': "The vulnerability was fixed by properly escaping the 'tag' claim before including it in the SQL query using the escape_common() function, preventing SQL injection."}] [1, 2, 3, 4]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to bypass JWT authentication in OpenSIPS by exploiting the SQL injection flaw in the auth_jwt module. By crafting a malicious JWT with a specially crafted 'tag' claim, the attacker can impersonate arbitrary users or identities within the system."}, {'type': 'paragraph', 'content': 'Such impersonation can lead to unauthorized access to protected resources or services, potentially compromising the confidentiality and integrity of communications handled by OpenSIPS.'}] [1, 2, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your OpenSIPS installation is running a vulnerable version (3.1 up to before 3.6.4) with the auth_jwt module enabled and using a SQL database backend with db_mode enabled.'}, {'type': 'paragraph', 'content': 'One practical approach is to check the OpenSIPS version and the presence of the auth_jwt module:'}, {'type': 'list_item', 'content': 'Run `opensipsctl -V` or check the OpenSIPS version via your package manager or binary.'}, {'type': 'list_item', 'content': 'Verify if the auth_jwt module is loaded by inspecting your OpenSIPS configuration file (usually `opensips.cfg`) for a line like `loadmodule "auth_jwt.so"`.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts or suspicious JWT tokens on your network, you can monitor logs for unusual JWT tokens containing suspicious 'tag' claims that might include SQL injection payloads such as strings containing SQL keywords or special characters like single quotes, double quotes, or SQL comment markers (`--`)."}, {'type': 'paragraph', 'content': "Since the vulnerability involves SQL injection via the 'tag' claim in JWT tokens, you can use network capture tools (e.g., tcpdump or Wireshark) to capture SIP traffic and filter for JWT tokens, then analyze the 'tag' claim for suspicious content."}, {'type': 'list_item', 'content': 'Example command to capture SIP traffic on port 5060: `tcpdump -i any port 5060 -w sip_traffic.pcap`'}, {'type': 'list_item', 'content': "Use a tool or script to decode JWT tokens from captured traffic and inspect the 'tag' claim for suspicious patterns."}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation step is to upgrade OpenSIPS to version 3.6.4 or later, where the vulnerability has been fixed by properly escaping the 'tag' claim in the jwt_db_authorize() function to prevent SQL injection."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider disabling the auth_jwt module or the db_mode feature if feasible, to prevent the vulnerable code path from being executed.'}, {'type': 'paragraph', 'content': 'Additionally, monitor your logs and network traffic for suspicious JWT tokens that may exploit this vulnerability.'}, {'type': 'paragraph', 'content': "Apply any available patches or backported fixes that implement proper escaping of the 'tag' claim using the escape_common() function as described in the fix."}, {'type': 'paragraph', 'content': 'Ensure that JWT tokens are verified for signature validity before extracting claims to avoid processing untrusted data.'}] [1, 2, 3, 4]