CVE-2026-41164

Name of the Vulnerable Software and Affected Versions nuts-node versions prior to 5.4.31 nuts-node versions prior to 6.2.3

Description The v1 access token introspection endpoint '/auth/v1/introspect access token' accepts any JSON Web Token (JWT) signed by a key present on the node without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT—a format used to present credentials—to be replayed as an access token, resulting in an 'active: true' introspection response. The issue occurs because the endpoint performs only standard JWT checks and fails to verify if the iss (issuer) claim matches the Decentralized Identifier (DID) extracted from the kid (key ID) header, ignores the typ (type) header, and allows the service claim to be empty.

Recommendations Update to version 5.4.31 or later. Update to version 6.2.3 or later. As a temporary workaround, resource servers should explicitly validate introspection responses by rejecting those where the service claim is empty, where the iss claim is empty or does not match the expected authorizer DID, or where the sub claim does not match the expected requester DID.