Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.
{
"cna_assigner": "VulnCheck",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57997.json",
"cwe_ids": [
"CWE-327"
]
}{
"cpe": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:node.js:*:*",
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "5.7.0"
}
]
}