External risk intelligence

Perry JWT Validation Bypass Allows Indefinite Authentication

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-53776

A JWT validation vulnerability in Perry allows remote attackers to bypass token expiration, potentially granting indefinite authenticated access using previously issued tokens. This could circumvent session invalidation mechanisms like logouts or revocations, posing a significant risk to systems relying on this JWT ver

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-53776

The vulnerability exists in a JWT validation mechanism, a standard component used by web applications and APIs to manage authentication. Because JWTs are commonly employed in internet-facing web services to handle session state and access control, this vulnerability is likely to be reachable in many common public-facing deployment patterns.

PCI scan relevance

PCI Relevance for CVE-2026-53776

Yes

CVE-2026-53776 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows remote attackers to bypass token expiration by exploiting the JWT validation. This could lead to unauthorized access and is considered an automatic fail for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in Perry's JWT validation that could allow unauthorized access by bypassing token expiration. Attackers in possession of a previously issued token can leverage this to maintain authenticated access indefinitely, even after a user logs out or an administrative revocation occurs. The main concern is confirming relevance and exposure to this specific JWT validation mechanism.

  • Attackers can bypass token expiration.
  • Retain authenticated access indefinitely.
  • Confirm relevance and exposure of JWT validation.

Attack Path

How an attacker could exploit the issue

An attacker can bypass security controls by exploiting a flaw in how the system validates token expiration. This allows them to use old, previously issued tokens to maintain access indefinitely, even after actions like logging out or administrative revocation.

  • No authentication required to attack.
  • Attackers submit expired tokens.
  • Persistent authenticated access.

Live Threat

Current exploitation, exposure, and threat context

A JWT validation vulnerability could allow attackers to bypass token expiration when supported by the advisory. This could result in indefinite authenticated access by presenting previously issued, expired tokens, circumventing expected session invalidation like user logouts or administrative revocations.

  • Indefinite access to authenticated services.
  • Expired tokens could be presented.
  • Continued unauthorized access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Perry's JWT validation impacts any system using it for authentication, potentially allowing attackers to bypass token expiration. Owners of applications and services relying on Perry for JWT verification are responsible for identifying affected instances, assessing their exposure and business criticality, and planning remediation.

  • Application owners should own this issue.
  • Verify token expiration bypass and reachability.
  • Plan remediation based on risk assessment.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Perry and how is it used?

Perry is a software component often used to handle JSON Web Tokens (JWTs). Developers integrate it into their web applications and APIs to manage authentication and user sessions, ensuring that only users with valid credentials can access protected resources.

What does CVE-2026-53776 mean for JWT security?

This CVE describes a weakness classified as CWE-613: Insufficient Session Expiration. Essentially, the software contains a flaw where it fails to properly enforce time-based limits on authentication tokens, allowing tokens that should have expired to remain functionally valid.

How can an attacker trigger this bypass?

An attacker needs a previously issued bearer token to trigger this vulnerability. By presenting an expired token to the affected system, they can trick the software into accepting it as current. Note that this flaw is specific to the token validation logic; it does not grant access if no prior token exists or if the token was never issued for that service.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a likely risk because JWT validation is a standard pattern for internet-facing web services and APIs. If your Perry-based services are exposed to the public internet, they are prime candidates for this type of session bypass.

What steps should I take if I use Perry?

First, identify all instances where your applications use the affected Perry components for token verification. Once identified, evaluate whether those services rely on strict token expiration to maintain security. Finally, coordinate with your development team to update to a version beyond 0.5.1166 to resolve the verification logic flaw.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished