CVE-2026-53776
Deferred Deferred - Pending Action

Perry JWT Validation Bypass via Expired Tokens

Vulnerability report for CVE-2026-53776, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: VulnCheck

Description

Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
perryts perry to 0.5.1166 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53776 is a critical vulnerability in Perry versions before 0.5.1166 that affects the JWT (JSON Web Token) validation process. Specifically, the vulnerability arises because the verify_decode helper function in the stdlib JWT verification path unconditionally disables token expiration validation by setting validate_exp to false.

This flaw allows remote attackers who possess a previously issued bearer token to bypass the expiration check of JWT tokens. As a result, expired tokens can still be accepted as valid by any jwt.verify() call, enabling attackers to maintain authenticated access indefinitely.

This means that even after a user logs out or an administrator revokes a session, the attacker can continue to use the expired token to access the system without restriction.

Impact Analysis

This vulnerability can have severe impacts on the security of applications using Perry for JWT authentication.

  • Attackers can bypass token expiration and maintain indefinite authenticated access using expired tokens.
  • It allows unauthorized users to bypass session termination mechanisms such as user logout or administrative revocation.
  • The flaw compromises confidentiality and integrity by allowing persistent unauthorized access without requiring privileges or user interaction.
  • Because the vulnerability is remotely exploitable over a network with low attack complexity, it poses a high risk to affected systems.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Perry to version 0.5.1166 or later, where the issue with unconditional disabling of JWT token expiration validation has been fixed.

Additionally, consider rotating signing keys to invalidate any previously issued tokens that might have been exploited.

Review your use of jwt.verify() calls to ensure that token expiration validation is properly enforced.

Compliance Impact

The vulnerability allows attackers to bypass JWT token expiration, enabling indefinite authenticated access even after sessions should have been terminated, such as during user logout or administrative revocation.

This persistent unauthorized access can lead to insufficient session expiration controls, which is a critical security failure impacting confidentiality and integrity of user data.

Such a failure can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require proper session management and protection of sensitive data to prevent unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53776. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart