CVE-2026-34240

Name of the Vulnerable Software and Affected Versions jose versions prior to 0.3.5+1

Description A flaw in jose could allow a remote attacker to forge valid JWS/JWT tokens by utilizing a key embedded in the JOSE header (jwk). The issue arises because key selection may consider header-provided jwk as a verification candidate even if the key is not in the trusted key store. An attacker can exploit this by crafting a token payload, embedding an attacker-controlled public key in the header, and signing with the corresponding private key. Applications using affected versions for token verification are susceptible to this issue.

Recommendations Upgrade to version 0.3.5+1 or later. Reject tokens where a header jwk is present unless that jwk matches a key already present in the application's trusted key store.