PT-2020-16317 · Github+1 · Jwt-Go+1

Published

2020-09-30

Updated

2025-08-22

CVE-2020-26160

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions jwt-go versions prior to 4.0.0-preview1 jwt-go before 4.0.0-preview1

Description The issue allows attackers to bypass intended access restrictions in situations where the audience claim in a JWT token is an array of strings, rather than a single string. This occurs because the type assertion fails when m["aud"] is []string{}, resulting in an empty string as the value of aud. This poses a security problem if the JWT token is presented to a service lacking its own audience check.

Recommendations For jwt-go versions prior to 4.0.0-preview1, migrate to golang-jwt at version 3.2.1. As a temporary workaround, consider implementing an audience check in services that verify JWT tokens to prevent bypassing of intended access restrictions.

Fix

Improper Authentication

Improper Handling of Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-755

Related Identifiers

AZL-41684

BDU:2025-11266

CVE-2020-26160

GHSA-W73W-5M7G-F7QC

GO-2020-0017

OPENSUSE-SU-2024:11428-1

OPENSUSE-SU-2024:11668-1

RHSA-2021:2042

SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515

Affected Products

Red Os

Jwt-Go

PT-2020-16317 · Github+1 · Jwt-Go+1

CVE-2020-26160

Weakness Enumeration

Related Identifiers

Affected Products

References · 27