CVE-2026-34240Improper Verification of Cryptographic Signature in Jose

CWE-347Improper Verification of Cryptographic Signature1047 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 98.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Appsup-dart JoseJose Project Jose
Timeline
PublishedMar 31

Description

JOSE is a Javascript Object Signing and Encryption (JOSE) library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk). The vulnerability exists because key selection could treat header-provided jwk as a verification candidate even when that key was not present in the trusted key store. Since JOSE headers are untrusted input, an attacker could exploit this by creating a to

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5appsup-dart/jose< 0.3.5+1
NVDappsup-dart/jose< 0.3.5\+1
Pubjose_project/jose< 0.3.5+1

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
jose vulnerable to untrusted JWK header key acceptance during signature verification2026-03-31
CVEList
jose vulnerable to untrusted JWK header key acceptance during signature verification2026-03-31
GHSA
jose vulnerable to untrusted JWK header key acceptance during signature verification2026-03-31

🕵️Threat Intelligence

1043
Wiz
CVE-2026-23948 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-2946 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-4705 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-69651 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-33212 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-34240 — Appsup-dart Jose vulnerability | cvebase