Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-tt3k-ap2m-b3cj
Vulnerability ID VCID-tt3k-ap2m-b3cj
Aliases CVE-2026-35039
GHSA-rp9m-7r4c-75qg
Summary fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.2.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token. Version 6.2.0 contains a patch.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-345 Insufficient Verification of Data Authenticity
CWE-706 Use of Incorrectly-Resolved Name or Reference
CWE-1289 Improper Validation of Unsafe Equivalence in Input
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-35039
epss 0.00019 https://api.first.org/data/v1/epss?cve=CVE-2026-35039
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-rp9m-7r4c-75qg
cvssv3.1 9.1 https://github.com/nearform/fast-jwt
generic_textual CRITICAL https://github.com/nearform/fast-jwt
cvssv3.1 9.1 https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb
generic_textual CRITICAL https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb
ssvc Track https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb
cvssv3.1 9.1 https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg
cvssv3.1_qr CRITICAL https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg
generic_textual CRITICAL https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg
ssvc Track https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg
cvssv3.1 9.1 https://nvd.nist.gov/vuln/detail/CVE-2026-35039
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2026-35039
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-35039
https://github.com/nearform/fast-jwt
https://nvd.nist.gov/vuln/detail/CVE-2026-35039
de121056c6415b58770c60640881eaec67ac4ceb https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb
GHSA-rp9m-7r4c-75qg https://github.com/advisories/GHSA-rp9m-7r4c-75qg
GHSA-rp9m-7r4c-75qg https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/nearform/fast-jwt
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-07T14:25:32Z/ Found at https://github.com/nearform/fast-jwt/commit/de121056c6415b58770c60640881eaec67ac4ceb
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-07T14:25:32Z/ Found at https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35039
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.05574
EPSS Score 0.00019
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:44:54.574215+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/35xxx/CVE-2026-35039.json 38.6.0