CVE-2026-53776
Deferred Deferred - Pending Action
Perry JWT Validation Bypass via Expired Tokens

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description
Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53776
EUVD
EUVD-2026-37126
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
perryts perry to 0.5.1166 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53776 is a critical vulnerability in Perry versions before 0.5.1166 that affects the JWT (JSON Web Token) validation process. Specifically, the vulnerability arises because the verify_decode helper function in the stdlib JWT verification path unconditionally disables token expiration validation by setting validate_exp to false.

This flaw allows remote attackers who possess a previously issued bearer token to bypass the expiration check of JWT tokens. As a result, expired tokens can still be accepted as valid by any jwt.verify() call, enabling attackers to maintain authenticated access indefinitely.

This means that even after a user logs out or an administrator revokes a session, the attacker can continue to use the expired token to access the system without restriction.

Impact Analysis

This vulnerability can have severe impacts on the security of applications using Perry for JWT authentication.

  • Attackers can bypass token expiration and maintain indefinite authenticated access using expired tokens.
  • It allows unauthorized users to bypass session termination mechanisms such as user logout or administrative revocation.
  • The flaw compromises confidentiality and integrity by allowing persistent unauthorized access without requiring privileges or user interaction.
  • Because the vulnerability is remotely exploitable over a network with low attack complexity, it poses a high risk to affected systems.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Perry to version 0.5.1166 or later, where the issue with unconditional disabling of JWT token expiration validation has been fixed.

Additionally, consider rotating signing keys to invalidate any previously issued tokens that might have been exploited.

Review your use of jwt.verify() calls to ensure that token expiration validation is properly enforced.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53776. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart