CVE-2026-34950

Published April 6, 2026 · Updated April 6, 2026

9.1CVSS

critical

What This Means

CVE-2026-34950 is a critical vulnerability with a CVSS score of 9.1 in the fast-jwt library, affecting versions 6.1.0 and earlier. The issue arises from a regex flaw that allows leading whitespace in the public key string, potentially enabling a JWT algorithm confusion attack similar to CVE-2023-48223. Security teams should update to the latest version of fast-jwt to mitigate this vulnerability.

Official Description+

fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patched.

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-34950.

Related Coverage

Vvulnerability

🚨 Critical Vulnerability CVE-2026-34950 Impacts fast-jwt Library

CVE-2026-34950 is a critical vulnerability affecting the fast-jwt library up to version 6.1.0. A regex flaw allows JWT algorithm confusion attacks. Update fast-jwt to mitigate.

NVD·2h ago·3 min read