View all vulnerabilities

CVE-2020-26160

Authorization bypass in github.com/dgrijalva/jwt-go

If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
Score Vector
Affected Versions
github.com/dgrijalva/jwt-go >= 0.0.0-20150717181359-44718f8a89b0; github.com/dgrijalva/jwt-go/v4 < 4.0.0-preview1
Severity
Ecosystem
GO
Publish Date
April 14, 2021
Modified Date
January 14, 2025