CVE-2026-36721

Deferred Deferred - Pending Action

Authentication Bypass via Forged JWT in Bookcars

Publication date: 2026-06-09

Last updated on: 2026-06-10

Assigner: MITRE

Description

A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-10

Generated

2026-06-30

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-36721

Affected Vendors & Products

Vendor	Product	Version / Range
bookcars	bookcars	8.3
bookcars	bookcars	to 8.3 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-347	The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

Executive Summary

CVE-2026-36721 is an authorization bypass vulnerability in BookCars software versions up to and including v8.3. The issue arises because the authentication middleware incorrectly relies on the Origin header to determine user roles and permissions. Attackers can spoof this header to impersonate a regular user, which allows them to bypass authentication and gain unauthorized access to admin-only endpoints.

This vulnerability is caused by improper role-based access control (RBAC) implementation, where permissions are inferred from client-controlled headers instead of validating the user's actual role stored in the database.

Impact Analysis

This vulnerability can allow attackers to bypass authentication and gain unauthorized access to sensitive administrative functions within the BookCars application. For example, attackers can access admin-only endpoints such as /api/users, potentially leading to unauthorized data access, modification, or other administrative actions that should be restricted.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing HTTP requests to the affected BookCars application, specifically looking for requests where the Origin header is spoofed to match the frontend host value. Such requests may indicate attempts to bypass authentication and access admin-only endpoints.

You can use network traffic inspection tools like curl or tcpdump to observe suspicious requests. For example, using curl to test access to an admin endpoint with a spoofed Origin header:

curl -H "Origin: https://frontend.bookcars.example" https://your-bookcars-server/api/users

Additionally, inspecting server logs for requests to admin endpoints that include unusual or unexpected Origin headers can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation involves fixing the improper role-based access control (RBAC) implementation by explicitly defining required roles at the endpoint level and validating the user's actual role from the database rather than relying on client-controlled headers like Origin.

Specifically, update the authentication middleware to stop using the Origin header for permission checks and instead verify user roles securely from the backend database.

As a temporary measure, monitor and block requests with suspicious Origin headers attempting to access admin endpoints.

Compliance Impact

This vulnerability allows attackers to bypass authentication and gain unauthorized access to sensitive administrative functions by exploiting improper role-based access control. Such unauthorized access to sensitive data or administrative controls can lead to violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Specifically, failure to properly verify user roles and permissions may result in unauthorized disclosure or modification of protected data, undermining compliance with data protection and privacy requirements mandated by these regulations.

Hi! I’m here to help you understand CVE-2026-36721. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70