How is CVE-2026-36727 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the bookcars API service via HTTP/HTTPS to deliver a forged JWT token. Authentication (not-required): No credentials are needed; the vulnerability exists precisely in the authentication mechanism itself, allowing a completely unauthenticated attacker to forge a valid-looking JWT. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond network access to the endpoint.

What is the impact of CVE-2026-36727?

An attacker who forges a JWT token gains full read access to data accessible under the spoofed identity, which may include personal information, booking records, and stored credentials. Write access under the compromised identity allows the attacker to create, modify, or delete bookings and account data within the application. If the forged token can impersonate an administrative account, the attacker gains control over all user records and application configuration exposed via the API.

Back to search

CRITICALCVE-2026-36727Published 2026-06-09Modified 2026-06-10CNA mitre

CVE-2026-36727: An insecure authentication vulnerability in the /api/social-sign-in endpoint of bookcars v8

An insecure authentication vulnerability in the /api/social-sign-in endpoint of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Authentication bypass in bookcars v8.3 allows a remote, unauthenticated attacker to forge a JWT token and gain unauthorized access through the /api/social-sign-in endpoint. The vulnerability is reachable over the network and requires no credentials or user interaction to exploit. Successful exploitation gives the attacker full read and write access to data accessible under the compromised identity. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-36727 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle bookcars v8.3. Coverage extends to both registry scans and inline pipeline checks at build time.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical, v3.1) and is capable of weighting that score against each customer environment's compliance policy to determine breach-of-threshold status. Triage routing can direct findings to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. Until then, compensating-control suggestions such as network-policy isolation of the /api/social-sign-in endpoint are surfaced alongside the finding.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the bookcars API service via HTTP/HTTPS to deliver a forged JWT token.
AuthenticationNot required
No credentials are needed; the vulnerability exists precisely in the authentication mechanism itself, allowing a completely unauthenticated attacker to forge a valid-looking JWT.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond network access to the endpoint.

Blast Radius

An attacker who forges a JWT token gains full read access to data accessible under the spoofed identity, which may include personal information, booking records, and stored credentials.
Write access under the compromised identity allows the attacker to create, modify, or delete bookings and account data within the application.
If the forged token can impersonate an administrative account, the attacker gains control over all user records and application configuration exposed via the API.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-36727 is active across all scanning environments and will flag any image containing bookcars v8.3 as critically vulnerable. Because no upstream patch exists, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is published; for customers with auto-remediation enabled, that triggers a rebuild, regression-test run, and a PR opened against affected workloads without manual intervention. In the interim, HarborGuard surfaces compensating-control recommendations alongside the finding, including network-policy rules that restrict access to the /api/social-sign-in endpoint to trusted sources only, and egress filtering to reduce the attack surface of the affected service.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

github.com

Metrics

Get notified