greprules.io
Sign inSubmit rule
Explore/cve-2026-33746-lcobucci-jwt-validate-without-signedwith

CVE-2026-33746: Lcobucci Jwt Validate Without Signedwith

JWT validation via lcobucci/jwt does not include a `SignedWith` constraint. Only time-based or other non-cryptographic constraints are passed to `validator()->validate()` / `validator()->assert()`, so the token's cryptographic signature is never verified. An attacker can forge or tamper with the JWT payload (e.g. impersonate any user via a `user_uuid` claim)

Provally CuratedPublic repositoryHighHigh confidenceVerifiedApache-2.0php
greprules fetch cve-2026-33746-lcobucci-jwt-validate-without-signedwith --engine opengrep

Description

JWT validation via lcobucci/jwt does not include a `SignedWith` constraint. Only time-based or other non-cryptographic constraints are passed to `validator()->validate()` / `validator()->assert()`, so the token's cryptographic signature is never verified. An attacker can forge or tamper with the JWT payload (e.g. impersonate any user via a `user_uuid` claim)

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
108 downloads0 direct108 via packs
· 0 stars · Trust score 95How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata