CVE-2026-41164 MEDIUM

CVE-2026-41164: nuts-node: JWT type confusion in v1 access token introspection allows VP replay as access token

Vendor Nuts-Foundation
Product nuts-node
Weakness CWE-345
Published May 26, 2026
Last update May 27, 2026

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response. This vulnerability is fixed in 6.2.3 and 5.4.31.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 27, 2026 Record updated