CRITICAL🇵🇱 Wersja polska

CVE-2026-36721

CVSS 9.8pub. 2026-06-09upd. 2026-06-10

A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.

🤖 AI Analysis
How it works

The validateAccessToken function responsible for verifying JWT (JSON Web Token) access tokens does not validate the cryptographic signature of the token. An attacker can independently craft (forge) a JWT token with arbitrary claims, for example by impersonating an administrator or another user. Since the signature is not verified, the application accepts such a token as valid, granting unauthorized access. The attack is possible remotely, without authentication and without any user interaction.

Impact

An attacker can completely bypass the authentication mechanism and gain unauthorized access to application resources, potentially with the privileges of any user — including an administrator — which leads to a breach of confidentiality, integrity, and data availability.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references. Additionally, it is recommended to implement proper verification of cryptographic signatures of JWT tokens (in accordance with the algorithm specified in the token header) and to reject tokens with the 'none' algorithm.

Who is affected

bookcars in version 8.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References