{"id":"GO-2020-0017","summary":"Authorization bypass in github.com/dgrijalva/jwt-go","details":"If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided.","aliases":["CVE-2020-26160","GHSA-w73w-5m7g-f7qc"],"modified":"2026-03-13T22:11:26.231671Z","published":"2021-04-14T20:04:52Z","related":["CGA-hv4q-5g38-wjr8"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0017","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab"},{"type":"WEB","url":"https://github.com/dgrijalva/jwt-go/issues/422"}],"affected":[{"package":{"name":"github.com/dgrijalva/jwt-go","ecosystem":"Go","purl":"pkg:golang/github.com/dgrijalva/jwt-go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-20150717181359-44718f8a89b0"}]}],"ecosystem_specific":{"imports":[{"symbols":["MapClaims.VerifyAudience"],"path":"github.com/dgrijalva/jwt-go"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2020-0017.json"}},{"package":{"name":"github.com/dgrijalva/jwt-go/v4","ecosystem":"Go","purl":"pkg:golang/github.com/dgrijalva/jwt-go/v4"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"4.0.0-preview1"}]}],"ecosystem_specific":{"imports":[{"symbols":["MapClaims.VerifyAudience"],"path":"github.com/dgrijalva/jwt-go/v4"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2020-0017.json"}}],"schema_version":"1.7.5","credits":[{"name":"@christopher-wong"}]}