An attacker can forge Biscuit v1 tokens with any access level.
There is no known workaround for Biscuit v1. The Biscuit v2 specification avoids this vulnerability.
{ "imports": [ { "path": "github.com/biscuit-auth/biscuit-go" } ] }