ERESUS-2026-001CriticalCVSS: 9.8
Critical RCE in Enterprise JWT Library
Disclosed: 2026-03-15
During a routine red team engagement, our researchers discovered a critical vulnerability in a widely adopted enterprise JWT parsing library.
Vulnerability Details
The library misinterprets the "alg": "none" header when combined with a specifically formatted payload structure, leading to signature verification bypass.
This allows attackers to forge administrative tokens across all systems utilizing this library.
Remediation
Update to version 2.4.1 immediately. A CVE has been requested and is pending assignment.