CVE-2026-25554 HIGH

CVE-2026-25554: OpenSIPS 3.1 <= 3.6.4 auth_jwt SQL Injection Enables JWT Authentication Bypass

Vendor Opensips
Product OpenSIPS
Weakness CWE-89 · SQLi
Published February 25, 2026
Last update May 11, 2026

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
May 11, 2026 Record updated