Search criteria
1 vulnerability by nuts-foundation
CVE-2026-41164 (GCVE-0-2026-41164)
Vulnerability from cvelistv5 – Published: 2026-05-26 17:35 – Updated: 2026-05-27 17:24
VLAI
Title
nuts-node: JWT type confusion in v1 access token introspection allows VP replay as access token
Summary
nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response. This vulnerability is fixed in 6.2.3 and 5.4.31.
Severity
4.4 (Medium)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/nuts-foundation/nuts-node/secu… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nuts-foundation | nuts-node |
Affected:
>= 6.0.0-alpha.1, < 6.2.3
Affected: < 5.4.31 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T17:24:32.828628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T17:24:40.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuts-node",
"vendor": "nuts-foundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0-alpha.1, \u003c 6.2.3"
},
{
"status": "affected",
"version": "\u003c 5.4.31"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response. This vulnerability is fixed in 6.2.3 and 5.4.31."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:35:59.019Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuts-foundation/nuts-node/security/advisories/GHSA-9hmg-827w-9rhj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuts-foundation/nuts-node/security/advisories/GHSA-9hmg-827w-9rhj"
}
],
"source": {
"advisory": "GHSA-9hmg-827w-9rhj",
"discovery": "UNKNOWN"
},
"title": "nuts-node: JWT type confusion in v1 access token introspection allows VP replay as access token"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41164",
"datePublished": "2026-05-26T17:35:59.019Z",
"dateReserved": "2026-04-17T16:34:45.525Z",
"dateUpdated": "2026-05-27T17:24:40.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}