PT-2026-41777 · Rubygems · Ruby-Jwt

Published

2026-05-13

·

Updated

2026-05-18

·

CVE-2026-45363

CVSS v2.0

7.6

High

VectorAV:N/AC:H/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions ruby-jwt (affected versions not specified)
Description A flaw in the authentication procedure allows the library to accept forged tokens when an empty string is used as the verification key. This occurs because the HMAC algorithm lacks a precondition to reject empty keys, and OpenSSL::HMAC.digest returns a valid digest under these conditions. The issue affects HS256, HS384, and HS512 algorithms via JWT.decode (using both positional keys and block keyfinders) and the verify signature! function. This can be triggered when keyfinder blocks or arguments return an empty string, or when applications use patterns that result in empty strings, such as ENV['SECRET'] || '' or ORM columns with empty string defaults. Exploitation of this issue may lead to a denial of service.
Recommendations Enable the enforce hmac key length option to block the use of empty keys. Avoid using empty strings as keys in JWT.decode() or within keyfinder blocks. Ensure that keyfinder blocks return nil or raise an error instead of returning an empty string when a key is not found.

Exploit

Fix

Inadequate Encryption Strength

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-09332
CVE-2026-45363
GHSA-C32J-VQHX-RX3X

Affected Products

Ruby-Jwt