CVE-2026-45795
Janssen Project: JWE Request Object Signature Verification Bypass in jans-auth-server
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The Janssen Project is an open-source identity and access management (IAM) platform. Prior to 2.0.0, jans-auth-server accepts unsigned JWE request objects because JwtAuthorizationRequest skips inner signature validation when jwe.getSignedJWTPayload() returns null, and AuthzRequestService.processRequestObject() does not reject the unrecognized RSA-OAEP algorithm when forceSignedRequestObject=true. This issue is fixed in version 2.0.0.
| CWE | CWE-347 |
| Vendor | janssenproject |
| Product | jans |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for janssenproject jans
Be the first to know when new medium vulnerabilities affecting janssenproject jans are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
JanssenProject / jans
< 2.0.0
References
github.com: https://github.com/JanssenProject/jans/security/advisories/GHSA-r3gj-4pj2-9j3j github.com: https://github.com/JanssenProject/jans/pull/13438 github.com: https://github.com/JanssenProject/jans/commit/0cdd214870ee30eb2186261f21c85b9e9fc63b5c github.com: https://github.com/JanssenProject/jans/releases/tag/v2.0.0