CVE-2026-41164
Access Token JWT Replay in Nuts Node
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nuts_foundation | nuts_node | to 6.2.3 (inc) |
| nuts_foundation | nuts_node | to 5.4.31 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-41164 vulnerability is a JWT type confusion issue in the nuts-node software's access token introspection endpoint (/auth/v1/introspect_access_token). This endpoint accepts any JWT signed by the node's key without properly validating the JWT type, issuer-to-key binding, or required claims.
Because both access tokens and Verifiable Presentation (VP) JWTs use the same "JWT" type header, the introspection endpoint can be tricked into accepting a VP JWT as a valid access token. This allows an attacker to replay a VP JWT as an access token and receive an active: true response from the introspection endpoint.
The vulnerability arises from missing checks on the typ header (which should require "at+jwt" for access tokens), the binding between issuer and key ID, and required claims like service.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability by presenting a Verifiable Presentation JWT from a victim organization as a bearer access token, thereby tricking the resource server into accepting it as valid.
This could potentially allow unauthorized access to resources protected by the nuts-node system.
However, the severity is considered moderate due to mitigating factors such as the short lifespan of VPs, empty service and issuer claims in the replayed token, and the requirement for resource servers to validate service, issuer, and audience values for routing.
Resource servers can also mitigate the risk by explicitly validating the introspection response.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the acceptance of any JWT signed by a node's key at the /auth/v1/introspect_access_token endpoint without proper validation. To detect exploitation attempts, monitor network traffic for JWT tokens being sent to this endpoint and inspect the JWT headers and claims.
Specifically, look for JWTs where the typ header is not "at+jwt", or where the issuer-to-key binding and required claims like service are missing or empty.
You can use commands to capture and decode JWT tokens from network traffic, for example:
- Use tcpdump or Wireshark to capture HTTP POST requests to /auth/v1/introspect_access_token.
- Extract the JWT token from the request body.
- Decode the JWT token header and payload using tools like jwt-cli or online JWT decoders to verify the typ header and claims.
- Example command to decode JWT token locally (assuming token is stored in a variable TOKEN):
- jwt decode $TOKEN
- Alternatively, use curl to send introspection requests and observe responses for tokens that should not be accepted.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in nuts-node versions 6.2.3 and 5.4.31 by adding proper validation of the JWT typ header, issuer-to-key binding, and required claims.
Immediate mitigation steps include:
- Upgrade nuts-node to version 6.2.3 or 5.4.31 or later to apply the official fix.
- If upgrading is not immediately possible, configure resource servers to explicitly validate the introspection response, ensuring that the service, issuer (iss), and audience (aud) claims are present and valid before accepting tokens.
- Monitor and restrict access to the /auth/v1/introspect_access_token endpoint to trusted clients only.