CVE-2026-25554
Received Received - Intake
SQL Injection in OpenSIPS auth_jwt Module Enables Authentication Bypass

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: VulnCheck

Description
OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25554
EUVD
EUVD-2026-8694
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
opensips opensips 3.6.4
opensips opensips to 3.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25554 is a SQL injection vulnerability in the auth_jwt module of OpenSIPS versions 3.1 before 3.6.4. The vulnerability occurs in the jwt_db_authorize() function, which extracts the 'tag' claim from a JSON Web Token (JWT) without verifying the token's signature. This unescaped 'tag' claim is then directly inserted into a SQL query, allowing an attacker to inject malicious SQL code."}, {'type': 'paragraph', 'content': "An attacker can craft a malicious JWT containing a SQL injection payload in the 'tag' claim to manipulate the SQL query. This manipulation allows the attacker to inject a secret they control into the query result, which is then used to verify the JWT signature. As a result, the attacker can sign their token with this known secret and bypass authentication, impersonating arbitrary identities."}, {'type': 'paragraph', 'content': "The vulnerability was fixed by properly escaping the 'tag' claim before including it in the SQL query using the escape_common() function, preventing SQL injection."}] [1, 2, 3, 4]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to bypass JWT authentication in OpenSIPS by exploiting the SQL injection flaw in the auth_jwt module. By crafting a malicious JWT with a specially crafted 'tag' claim, the attacker can impersonate arbitrary users or identities within the system."}, {'type': 'paragraph', 'content': 'Such impersonation can lead to unauthorized access to protected resources or services, potentially compromising the confidentiality and integrity of communications handled by OpenSIPS.'}] [1, 2, 3, 4]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your OpenSIPS installation is running a vulnerable version (3.1 up to before 3.6.4) with the auth_jwt module enabled and using a SQL database backend with db_mode enabled.'}, {'type': 'paragraph', 'content': 'One practical approach is to check the OpenSIPS version and the presence of the auth_jwt module:'}, {'type': 'list_item', 'content': 'Run `opensipsctl -V` or check the OpenSIPS version via your package manager or binary.'}, {'type': 'list_item', 'content': 'Verify if the auth_jwt module is loaded by inspecting your OpenSIPS configuration file (usually `opensips.cfg`) for a line like `loadmodule "auth_jwt.so"`.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts or suspicious JWT tokens on your network, you can monitor logs for unusual JWT tokens containing suspicious 'tag' claims that might include SQL injection payloads such as strings containing SQL keywords or special characters like single quotes, double quotes, or SQL comment markers (`--`)."}, {'type': 'paragraph', 'content': "Since the vulnerability involves SQL injection via the 'tag' claim in JWT tokens, you can use network capture tools (e.g., tcpdump or Wireshark) to capture SIP traffic and filter for JWT tokens, then analyze the 'tag' claim for suspicious content."}, {'type': 'list_item', 'content': 'Example command to capture SIP traffic on port 5060: `tcpdump -i any port 5060 -w sip_traffic.pcap`'}, {'type': 'list_item', 'content': "Use a tool or script to decode JWT tokens from captured traffic and inspect the 'tag' claim for suspicious patterns."}] [1, 2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': "The primary mitigation step is to upgrade OpenSIPS to version 3.6.4 or later, where the vulnerability has been fixed by properly escaping the 'tag' claim in the jwt_db_authorize() function to prevent SQL injection."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider disabling the auth_jwt module or the db_mode feature if feasible, to prevent the vulnerable code path from being executed.'}, {'type': 'paragraph', 'content': 'Additionally, monitor your logs and network traffic for suspicious JWT tokens that may exploit this vulnerability.'}, {'type': 'paragraph', 'content': "Apply any available patches or backported fixes that implement proper escaping of the 'tag' claim using the escape_common() function as described in the fix."}, {'type': 'paragraph', 'content': 'Ensure that JWT tokens are verified for signature validity before extracting claims to avoid processing untrusted data.'}] [1, 2, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25554. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart