{"id":"CVE-2026-25554","details":"OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.","modified":"2026-04-12T20:28:27.108403Z","published":"2026-02-25T18:23:40.617Z","references":[{"type":"WEB","url":"https://opensips.org/pub/opensips/3.6.4/ChangeLog"},{"type":"WEB","url":"https://opensips.org/"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/opensips-auth-jwt-sql-injection-enables-jwt-authentication-bypass"},{"type":"FIX","url":"https://github.com/OpenSIPS/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05"},{"type":"FIX","url":"https://github.com/OpenSIPS/opensips/pull/3807"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/OpenSIPS/opensips","events":[{"introduced":"58804282fe53b25a2d18f8bed35b8f6fc8f8a1a8"},{"fixed":"2367deb8e2c408a2d38e90d80b5a9580dbdff959"}],"database_specific":{"versions":[{"introduced":"3.1"},{"fixed":"3.6.4"}]}},{"type":"GIT","repo":"https://github.com/opensips/opensips","events":[{"introduced":"0"},{"fixed":"3822d33c1c6b25832fdd88da1d23eed74be55b05"}]}],"versions":["1.11.0","2.1-alpha1","2.1-alpha2","2.1-alpha3","2.1-rc1"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_version":"v1","source":"https://github.com/opensips/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05","id":"CVE-2026-25554-3897cb0a","digest":{"threshold":0.9,"line_hashes":["78101614203459480529403337418902407056","102319332738492448463919102042223060891","52907280310805016979564471421018966554","149910951557791198439169948466501926330","104563185497889765062119864739244630464","311621968327641248618712719192684977883","216091442876333318595135198681984797562","293718913230172323595973942299859317861","73408486204413253667817718754350822779","314253767360744617079709853668124157042","260356464502525214173907132490372476876","35790631418735746970858757954512788320","156077533617645975374780769441416108953","32599162646421885250953157184719303331","294278510469129187987372743326614525783","217568550749364409669775450399449219214","74324575998797169939427912992005575797","253514004039073508634609791744993159965","325667233045641622792776717826656528762","70365281334577459671828510155128419528","139039736357107671337145660518272792383","5358951753337218650900315039053426901","202675061219130691895141306473948275572","159707165905016840141736655572666574282","324855910841244746811111871422394008385","69387538469151401814567450709327513049","155289679256226658981602761137539998504","337144336384510319510181686657831280971","92601107541447900962949901650065537275"]},"signature_type":"Line","target":{"file":"modules/auth_jwt/authorize.c"}},{"deprecated":false,"signature_version":"v1","source":"https://github.com/opensips/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05","id":"CVE-2026-25554-be85e94f","digest":{"length":5240,"function_hash":"310134654233892968039696610562239348154"},"signature_type":"Function","target":{"file":"modules/auth_jwt/authorize.c","function":"jwt_db_authorize"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25554.json","vanir_signatures_modified":"2026-04-12T20:28:27Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"}]}