CVE-2026-57997

Name of the Vulnerable Software and Affected Versions Strapi users-permissions plugin (affected versions not specified)

Description The users-permissions plugin fails to restrict JSON Web Token (JWT) algorithms when the plugin::users-permissions.jwt.algorithm configuration is not explicitly set. This allows the system to accept HS384 and HS512 tokens in addition to HS256. An attacker who possesses the jwtSecret can create tokens using these non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.

Recommendations Explicitly configure the plugin::users-permissions.jwt.algorithm setting to restrict the accepted JWT algorithms. At the moment, there is no information about a newer version that contains a fix for this vulnerability.