CVE-2026-36721: A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Authentication bypass in bookcars v8.3 allows an unauthenticated attacker to forge a JWT token and gain access without valid credentials. The vulnerability is reachable over the network and requires no authentication or user interaction to exploit. Successful exploitation gives the attacker full read, write, and availability impact against the affected service. HarborGuard is tracking the advisory for upstream patch availability.
HarborGuard Coverage
Detection of CVE-2026-36721 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of publication, including custom-built images that bundle bookcars v8.3. Matching runs against images in both connected registries and active CI/CD pipelines.
AvailableTriage is available with the CVSS v3.1 score of 9.8 (Critical) applied automatically, weighted against each customer's per-environment compliance policy. Resulting findings are routed to the appropriate inbox within the customer organization based on configured ownership rules.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable validateAccessToken function is exposed over the network, so an attacker must be able to reach the service via a standard network connection.
- AuthenticationNot required
The flaw exists precisely in the authentication layer, so no valid credentials or account are needed before sending a forged JWT token.
- Victim interactionNot required
No user action is required; the attacker targets the service endpoint directly without involving any other party.
- Attack complexityDetail
Exploit complexity is low, meaning the attack is reliable and requires no special environmental conditions, race timing, or memory-layout knowledge.
Blast Radius
- Attacker reads all data accessible to authenticated users, including stored session tokens, user records, and any booking or payment data held by the application.
- Attacker writes or modifies persisted application data, including user accounts, reservations, and configuration records.
- Attacker can disrupt service availability by issuing destructive authenticated requests, crashing or corrupting application state.
- Full authentication bypass means the attacker inherits the broadest permission set the application grants, with no per-user scope restriction.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-36721 is active and will flag any image containing bookcars v8.3 as it appears in customer registries or pipelines. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published; for customers with auto-remediation enabled, that rebuild will trigger a regression run and open a PR against affected workloads automatically. In the interim, compensating controls worth considering include network-policy isolation to restrict which services and clients can reach the bookcars endpoint, egress filtering to limit lateral movement if a token is forged, and feature-flag gating or a reverse-proxy authentication layer in front of the validateAccessToken call to reject structurally invalid JWTs before they reach the vulnerable function.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H