CVE-2026-53776

Source
https://cve.org/CVERecord?id=CVE-2026-53776
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53776.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53776
Aliases
  • GHSA-5324-c68v-8w62
Published
2026-06-16T15:18:53.658Z
Modified
2026-07-08T08:12:17.703335Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Perry < 0.5.1166 JWT Expiration Bypass via verify_decode
Details

Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validateexp = false in the verifydecode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53776.json",
    "cwe_ids": [
        "CWE-613"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/perryts/perry

Affected ranges

Type
GIT
Repo
https://github.com/perryts/perry
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.5.1166"
        }
    ]
}

Affected versions

v0.*
v0.2.173
v0.2.179
v0.2.183
v0.2.192
v0.2.194
v0.2.195
v0.2.197
v0.2.200
v0.2.201
v0.2.202
v0.2.203
v0.2.97
v0.3.0
v0.3.1
v0.4.0
v0.4.14
v0.4.15
v0.4.17
v0.4.18
v0.4.19
v0.4.2
v0.4.21
v0.4.22
v0.4.23
v0.4.24
v0.4.26
v0.4.27
v0.4.28
v0.4.29
v0.4.3
v0.4.30
v0.4.32
v0.4.36
v0.4.37
v0.4.38
v0.4.39
v0.4.40
v0.4.41
v0.4.45
v0.4.47
v0.4.51
v0.4.6
v0.4.8
v0.5.1008
v0.5.1011
v0.5.1019
v0.5.1020
v0.5.1021
v0.5.1022
v0.5.1024
v0.5.1025
v0.5.1028
v0.5.1112
v0.5.1116
v0.5.1117
v0.5.1120
v0.5.1121
v0.5.1122
v0.5.1125
v0.5.1129
v0.5.1150
v0.5.1151
v0.5.1158
v0.5.1159
v0.5.13
v0.5.14
v0.5.15
v0.5.343
v0.5.345
v0.5.359
v0.5.373
v0.5.374
v0.5.375
v0.5.379
v0.5.386
v0.5.450
v0.5.451
v0.5.452
v0.5.453
v0.5.454
v0.5.455
v0.5.456
v0.5.460
v0.5.463
v0.5.465
v0.5.509
v0.5.510
v0.5.511
v0.5.581
v0.5.582
v0.5.583
v0.5.585
v0.5.825
v0.5.832
v0.5.837
v0.5.840
v0.5.841
v0.5.842
v0.5.845
v0.5.846
v0.5.848
v0.5.849
v0.5.851
v0.5.852
v0.5.853
v0.5.854
v0.5.856
v0.5.857
v0.5.860
v0.5.861
v0.5.862
v0.5.863
v0.5.864
v0.5.865
v0.5.868
v0.5.871
v0.5.874
v0.5.875
v0.5.876
v0.5.877
v0.5.878
v0.5.879
v0.5.880
v0.5.881
v0.5.882
v0.5.883
v0.5.885
v0.5.886
v0.5.887
v0.5.888
v0.5.889
v0.5.890
v0.5.891
v0.5.921
v0.5.923

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53776.json"