Vulnerability DatabaseCVE-2026-33996
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-33996
March 27, 2026
LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect against a NULL value when expecting to parse JSON string values. A specially crafted JWK file could exploit this behavior by using integers in places where the code expected a string. This was fixed in v3.3.0. A workaround is available. Users importing keys through a JWK file should not do so from untrusted sources. Use the "jwk2key" tool to check for validity of a JWK file. Likewise, if possible, do not use JWK files with RSA-PSS keys.
Affected Packages
https://github.com/benmcollins/libjwt.git (GITHUB):
Affected version(s) >=v3.0.0 <v3.3.0
Fix Suggestion:
Update to version v3.3.0
https://github.com/benmcollins/libjwt.git (GITHUB):
Affected version(s) >=v3.0.0 <v3.3.0
Fix Suggestion:
Update to version v3.3.0
https://github.com/benmcollins/libjwt.git (GITHUB):
Affected version(s) >=v3.0.0 <v3.3.0
Fix Suggestion:
Update to version v3.3.0
https://github.com/benmcollins/libjwt.git (GITHUB):
Affected version(s) >=v3.0.0 <v3.3.0
Fix Suggestion:
Update to version v3.3.0
https://github.com/benmcollins/libjwt.git (GITHUB):
Affected version(s) >=v3.0.0 <v3.3.0
Fix Suggestion:
Update to version v3.3.0
https://github.com/benmcollins/libjwt.git (GITHUB):
Affected version(s) >=v3.0.0 <v3.3.0
Fix Suggestion:
Update to version v3.3.0
Related Resources (2)
https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c
https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.8
Attack Vector
ADJACENT
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
ACTIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
LOW
CVSS v3
Base Score:
7
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
HIGH
Weakness Type (CWE)
NULL Pointer Dereference
CWE-476
EPSS
Base Score:
0.02