External risk intelligence

Ruby JWT Vulnerability Allows Unauthenticated Token Verification.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-45363

The vulnerability exists in a widely used library for handling JSON Web Tokens (JWT). JWT validation is a core component of authentication and authorization logic in many internet-facing web applications and APIs, making this library functionality commonly exposed to network-based inputs from external users.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in a widely used Ruby library for JSON Web Tokens (JWTs), a standard for securely transmitting information between parties. The issue allows for the forging of tokens, potentially impacting authentication and authorization mechanisms in applications that use this library for validation, especially when specific configurations related to key handling are present. The main concern is to confirm relevance and exposure within your environment.

  • Unsecured JWT validation can allow forged tokens.
  • Critical for systems managing user access and identity.
  • Confirm if your Ruby applications use this library.

Attack Path

How an attacker could exploit the issue

An attacker can forge a JSON Web Token (JWT) by exploiting a weakness in how the ruby-jwt library verifies tokens. This occurs when the library incorrectly handles an empty secret key during the signature verification process, allowing a crafted token to be accepted. This could lead to an attacker gaining unauthorized access or privileges.

  • Unauthenticated network access is sufficient.
  • Malicious token submitted for verification.
  • Compromised authentication or authorization.

Live Threat

Current exploitation, exposure, and threat context

The ruby-jwt library, when used with HS256, HS384, or HS512 algorithms, could be tricked into accepting forged tokens without proper key verification. This occurs when the key used for signing is empty or not properly provided, allowing an attacker to bypass signature checks when supported by the advisory.

  • JWT verification processes.
  • Attacker-forged tokens accepted.
  • Unauthorized access to services.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in a widely used JWT library impacts applications relying on `ruby-jwt` for token verification. Owners of applications and services utilizing this library must first identify all instances, assess their exposure to external or unauthorized access, and confirm business criticality. Subsequently, coordinate with platform or development teams to plan and implement the necessary updates, prioritizing those with the highest exposure or criticality.

  • Application owners should address this.
  • Verify unauthenticated JWT verification.
  • Plan updates based on exposure and criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the ruby-jwt library?

ruby-jwt is a standard library used by Ruby developers to implement JSON Web Tokens (JWT). Developers rely on it to securely transmit claims between two parties, such as a client and a server. It is a fundamental component for managing identity, authentication, and authorization within Ruby-based web applications and APIs.

How does CVE-2026-45363 affect token security?

This vulnerability involves improper authentication (CWE-287) and inadequate algorithm strength (CWE-326). Essentially, the library fails to properly validate the signature of a token when a secret key is unexpectedly empty or nil. By exploiting this flaw, an attacker can submit a forged token that the library incorrectly accepts as valid, potentially bypassing the application's entire security gate.

Do I need a special trigger to exploit this bug?

The bug is triggered when the library performs signature verification using HS256, HS384, or HS512 algorithms under specific conditions where the key is missing or invalid. It is important to note that if your application always requires a strong, non-empty secret key and does not fall back to empty-key scenarios or specific key-finder patterns, the vulnerability may not be triggered by a forged token.

How do I know if my application is at risk?

Per Halo Surface Signal, this library is widely used in internet-facing APIs, making it a likely target for network-based attacks. If your Ruby application processes JWTs from external users to grant access or determine permissions, it is highly relevant. You should prioritize checking any public-facing services that rely on ruby-jwt for session or request authentication.

When should I update ruby-jwt?

You should plan to update your ruby-jwt dependencies immediately. The fix is available in versions 2.10.3 and 3.2.0. As a first step, perform an inventory of your Ruby projects to identify which services use affected versions, then coordinate with your development team to apply these patches, prioritizing systems that process authentication requests from untrusted network sources.

References