{"id":"CVE-2026-45363","summary":"`jwt` (Ruby gem) - empty-key HMAC bypass","details":"ruby-jwt is a Ruby implementation of the RFC 7519 OAuth JSON Web Token standard. Prior to 2.10.3 and 3.2.0, JWT.decode(token, '', true, algorithm: 'HS256') accepts an attacker-forged token because OpenSSL::HMAC.digest('SHA256', '', payload) returns a valid digest under an empty key and no empty-key precondition exists in the HMAC algorithm. The same path is reached when a keyfinder block or key_finder: argument returns an empty string, nil, or an array containing nil for an unknown key, affecting HS256, HS384, and HS512 verification through JWT.decode and JWT::EncodedToken#verify_signature!. This issue is fixed in versions 2.10.3 and 3.2.0.","aliases":["GHSA-c32j-vqhx-rx3x"],"modified":"2026-07-17T03:41:37.579912362Z","published":"2026-07-14T21:32:26.676Z","related":["CGA-p4xh-wv5c-vcq6"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45363.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-1391","CWE-287","CWE-326"]},"references":[{"type":"WEB","url":"https://github.com/jwt/ruby-jwt/releases/tag/v2.10.3"},{"type":"WEB","url":"https://github.com/jwt/ruby-jwt/releases/tag/v3.2.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45363.json"},{"type":"ADVISORY","url":"https://github.com/jwt/ruby-jwt/security/advisories/GHSA-c32j-vqhx-rx3x"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45363"},{"type":"FIX","url":"https://github.com/jwt/ruby-jwt/commit/9820020869ad147b941e49d96ab8beba35532964"},{"type":"FIX","url":"https://github.com/jwt/ruby-jwt/commit/db560b769a07bd9724e77ff505011ac01872106f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jwt/ruby-jwt","events":[{"introduced":"0"},{"introduced":"b987a5152732ab43d9e16558d3343ffca4c36cb1"},{"fixed":"a52e81d2c6b6aa6ff4be929dfa69da6b52db2888"},{"fixed":"db560b769a07bd9724e77ff505011ac01872106f"},{"fixed":"9820020869ad147b941e49d96ab8beba35532964"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.10.3"},{"introduced":"3.0.0"},{"fixed":"3.2.0"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v2.10.2","v3.1.2","v3.1.1","v3.1.0","v3.0.0","v2.10.1","v2.10.0","v2.9.3","v2.9.2","v2.9.0","v2.8.2","v2.8.1","v2.8.0","v2.7.1","v2.7.0","v2.6.0","v2.5.0","v2.4.1","v2.4.0.beta1","v2.3.0","v2.2.3","v2.2.2","v2.2.1","v2.2.0","v2.2.0.pre.beta.0","v2.1.0","v2.0.0","v2.0.0.beta1","v1.5.6","v1.5.5","v1.5.4","v1.5.3","jwt-1.5.2","jwt-1.5.1","jwt-1.4.1","jwt-1.4.0","jwt-1.3.0","jwt-1.2.1","jwt-1.2.0","jwt-0.1.11","jwt-1.0.0","jwt-0.1.10","jwt-0.1.8","jwt-0.1.7","jwt-0.1.6","jwt-0.1.5","jwt-0.1.4","jwt-0.1.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45363.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}