CVE-2026-25554
- Source
- https://cve.org/CVERecord?id=CVE-2026-25554
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25554.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25554
- Published
- 2026-02-25T18:23:40.617Z
- Modified
- 2026-04-12T20:28:27.108403Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
OpenSIPS versions 3.1 before 3.6.4 containing the authjwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwtdbauthorize() function in modules/authjwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.
- References
-
- https://opensips.org/pub/opensips/3.6.4/ChangeLog
- https://opensips.org/
- https://www.vulncheck.com/advisories/opensips-auth-jwt-sql-injection-enables-jwt-authentication-bypass
- https://github.com/OpenSIPS/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05
- https://github.com/OpenSIPS/opensips/pull/3807
Affected packages
Git / github.com/OpenSIPS/opensips
Affected ranges
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25554.json"
vanir_signatures_modified
"2026-04-12T20:28:27Z"
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"78101614203459480529403337418902407056",
"102319332738492448463919102042223060891",
"52907280310805016979564471421018966554",
"149910951557791198439169948466501926330",
"104563185497889765062119864739244630464",
"311621968327641248618712719192684977883",
"216091442876333318595135198681984797562",
"293718913230172323595973942299859317861",
"73408486204413253667817718754350822779",
"314253767360744617079709853668124157042",
"260356464502525214173907132490372476876",
"35790631418735746970858757954512788320",
"156077533617645975374780769441416108953",
"32599162646421885250953157184719303331",
"294278510469129187987372743326614525783",
"217568550749364409669775450399449219214",
"74324575998797169939427912992005575797",
"253514004039073508634609791744993159965",
"325667233045641622792776717826656528762",
"70365281334577459671828510155128419528",
"139039736357107671337145660518272792383",
"5358951753337218650900315039053426901",
"202675061219130691895141306473948275572",
"159707165905016840141736655572666574282",
"324855910841244746811111871422394008385",
"69387538469151401814567450709327513049",
"155289679256226658981602761137539998504",
"337144336384510319510181686657831280971",
"92601107541447900962949901650065537275"
]
},
"source": "https://github.com/opensips/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05",
"id": "CVE-2026-25554-3897cb0a",
"signature_type": "Line",
"target": {
"file": "modules/auth_jwt/authorize.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 5240.0,
"function_hash": "310134654233892968039696610562239348154"
},
"source": "https://github.com/opensips/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05",
"id": "CVE-2026-25554-be85e94f",
"signature_type": "Function",
"target": {
"function": "jwt_db_authorize",
"file": "modules/auth_jwt/authorize.c"
}
}
]