{"id":"CVE-2026-53776","summary":"Perry \u003c 0.5.1166 JWT Expiration Bypass via verify_decode","details":"Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.","aliases":["GHSA-5324-c68v-8w62"],"modified":"2026-07-08T08:12:17.703335Z","published":"2026-06-16T15:18:53.658Z","database_specific":{"cna_assigner":"VulnCheck","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53776.json","cwe_ids":["CWE-613"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53776.json"},{"type":"ADVISORY","url":"https://github.com/PerryTS/perry/releases/v0.5.1166"},{"type":"ADVISORY","url":"https://github.com/PerryTS/perry/security/advisories/GHSA-5324-c68v-8w62"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53776"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/perry-jwt-expiration-bypass-via-verify-decode"},{"type":"PACKAGE","url":"https://github.com/PerryTS/perry"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/perryts/perry","events":[{"introduced":"0"},{"fixed":"c970fc567366f166ae3ea9d746e37442fdec4d5b"}],"database_specific":{"source":["AFFECTED_FIELD","DESCRIPTION"],"extracted_events":[{"introduced":"0"},{"fixed":"0.5.1166"}]}}],"versions":["v0.5.1159","v0.5.1158","v0.5.1151","v0.5.1150","v0.5.1129","v0.5.1125","v0.5.1122","v0.5.1121","v0.5.1120","v0.5.1117","v0.5.1116","v0.5.1112","v0.5.1028","v0.5.1025","v0.5.1024","v0.5.1022","v0.5.1021","v0.5.1020","v0.5.1019","v0.5.1011","v0.5.1008","v0.5.923","v0.5.921","v0.5.891","v0.5.890","v0.5.889","v0.5.888","v0.5.887","v0.5.886","v0.5.885","v0.5.883","v0.5.882","v0.5.881","v0.5.880","v0.5.879","v0.5.878","v0.5.877","v0.5.876","v0.5.875","v0.5.874","v0.5.871","v0.5.868","v0.5.865","v0.5.864","v0.5.863","v0.5.862","v0.5.861","v0.5.860","v0.5.857","v0.5.856","v0.5.854","v0.5.853","v0.5.852","v0.5.851","v0.5.849","v0.5.848","v0.5.846","v0.5.845","v0.5.842","v0.5.841","v0.5.840","v0.5.837","v0.5.832","v0.5.825","v0.5.585","v0.5.583","v0.5.582","v0.5.581","v0.5.511","v0.5.510","v0.5.509","v0.5.465","v0.5.463","v0.5.460","v0.5.456","v0.5.455","v0.5.454","v0.5.453","v0.5.452","v0.5.451","v0.5.450","v0.5.386","v0.5.379","v0.5.375","v0.5.374","v0.5.373","v0.5.359","v0.5.345","v0.5.343","v0.5.15","v0.5.14","v0.5.13","v0.4.51","v0.4.47","v0.4.45","v0.4.41","v0.4.40","v0.4.39","v0.4.38","v0.4.37","v0.4.36","v0.4.32","v0.4.30","v0.4.29","v0.4.28","v0.4.27","v0.4.26","v0.4.24","v0.4.23","v0.4.22","v0.4.21","v0.4.19","v0.4.18","v0.4.17","v0.4.15","v0.4.14","v0.4.8","v0.4.6","v0.4.3","v0.4.2","v0.4.0","v0.3.1","v0.3.0","v0.2.203","v0.2.202","v0.2.201","v0.2.200","v0.2.197","v0.2.195","v0.2.194","v0.2.192","v0.2.183","v0.2.179","v0.2.173","v0.2.97"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53776.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}