CVE-2026-57997
Received Received - Intake

Strapi users-permissions plugin weak JWT algorithm restriction

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulnCheck

Description
Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-57997

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
strapi users_permissions_plugin *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Strapi users-permissions plugin where it fails to restrict the JSON Web Token (JWT) algorithms properly if the configuration setting plugin::users-permissions.jwt.algorithm is not explicitly set.

This failure allows the acceptance of HS384 and HS512 token algorithms in addition to the standard HS256.

An attacker who has access to the jwtSecret can create (mint) tokens using these non-standard HMAC variants, which can bypass the intended algorithm restrictions and weaken the authentication controls.

Impact Analysis

This vulnerability can weaken the authentication mechanism of applications using the Strapi users-permissions plugin.

Attackers with knowledge of the jwtSecret can exploit this flaw to create forged tokens with non-standard algorithms, potentially gaining unauthorized access or bypassing security controls.

This could lead to unauthorized actions within the application, data exposure, or other security breaches depending on the application's context.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart