CVE-2026-35039

Name of the Vulnerable Software and Affected Versions fast-jwt (affected versions not specified)

Description The fast-jwt library has a cache confusion vulnerability that can lead to identity or authorization mix-ups. This occurs when a custom cacheKeyBuilder function does not create unique keys for different tokens, leading to cache collisions. This can result in valid tokens returning claims from different tokens, user impersonation, privilege escalation, cross-tenant data access, and authorization bypass. The vulnerability only affects applications that enable caching and use custom cacheKeyBuilder functions prone to collisions. Examples of vulnerable configurations include those that group by audience, user type, or tenant and service. Safe configurations include using the default hash-based caching or disabling caching altogether. The parseToken function is used within the cacheKeyBuilder function.

Recommendations Ensure uniqueness of keys produced in the cacheKeyBuilder function. Remove the custom cacheKeyBuilder function. Disable caching.