CVE-2026-35039

fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)

Description

fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.1.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token.

INFO

Published Date :

2026-04-06T16:59:43.124Z

Last Modified :

2026-04-06T16:59:43.124Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-35039 vulnerability.

Vendors	Products
Nearform	Fast-jwt

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35039.

URL	Resource
https://github.com/nearform/fast-jwt/security/advisories/GHSA-rp9m-7r4c-75qg

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact