Authentication Bypass via Forged JWT in BookCars

Compliance Impact

The vulnerability allows attackers to bypass authentication and take over user accounts via forged JWT tokens in the social sign-in flow. This unauthorized access to user accounts can lead to exposure or misuse of personal data.

Such unauthorized access and potential data breaches could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over user authentication and protection of personal data.

Therefore, this vulnerability poses a risk to compliance with common standards and regulations by undermining the security of user authentication and potentially exposing sensitive user information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-36727 is an insecure authentication vulnerability in the BookCars software version 8.3 and earlier. It affects the /api/social-sign-in endpoint, where JWT access tokens from social sign-in providers like Facebook or Apple are improperly validated.

Attackers can exploit this vulnerability by forging arbitrary JWT tokens through simple base64-encoding of a JSON payload. This allows them to authenticate as any user without valid credentials or legitimate OAuth tokens, leading to complete account takeover via social sign-in flows.

The root cause is the validateAccessToken function failing to perform proper cryptographic signature verification. Instead, it only checks the token structure or compares decoded email fields, making it trivial to bypass authentication. Additionally, the parseJwt function decodes the token payload without validating its signature against the provider's public key.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to complete account takeover by attackers without needing valid credentials or legitimate OAuth tokens.

Attackers can impersonate any user by forging JWT tokens, potentially gaining unauthorized access to sensitive user data and performing actions on behalf of the compromised accounts.

This can result in data breaches, loss of user trust, and unauthorized transactions or changes within the affected application.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by analyzing requests to the /api/social-sign-in endpoint for acceptance of forged JWT tokens that are only base64-encoded without proper signature verification.

One approach is to capture and inspect JWT tokens used in social sign-in flows to check if tokens lacking valid cryptographic signatures are accepted.

Suggested commands include using tools like curl or HTTP interceptors to send crafted JWT tokens with manipulated payloads but no valid signature to the endpoint and observe if authentication is bypassed.

• Example curl command to test the endpoint with a forged JWT token: curl -X POST https://your-bookcars-domain/api/social-sign-in -H "Authorization: Bearer <forged_base64_encoded_jwt>"
• Use JWT decoding tools (e.g., jwt.io) to create tokens with arbitrary payloads and no valid signature for testing.
• Monitor logs for unusual authentication successes with tokens that do not have valid signatures.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing proper JWT signature verification using the social sign-in providers' public keys to ensure tokens are authentic.

Additionally, validate tokens against the social provider endpoints to confirm their legitimacy.

Enforce token expiration checks to prevent reuse of old tokens.

Add rate limiting on the /api/social-sign-in endpoint to prevent brute force attempts with forged tokens.

Review and update the affected files (/backend/src/utils/authHelper.ts, /backend/src/routes/userRoutes.ts, /backend/src/controllers/userController.ts) to fix the flawed authentication logic.

Useful 0 Not Useful 0