How is CVE-2026-53776 exploited?

Network reachability (required): The attacker must reach the service over the network to present the expired token to a jwt.verify() endpoint. Authentication (not-required): No credential or account is needed beyond possession of a previously issued bearer token, which may have come from any prior session. Victim interaction (not-required): No user action is required; the attacker submits the expired token directly to the target service. Attack complexity (info): The exploit is straightforward and condition-free; no race conditions or special environmental configuration are required to bypass expiration validation.

What is the impact of CVE-2026-53776?

The attacker reads resources and data accessible to the identity bound to the expired token, including session state, user records, and any API responses gated behind authentication. The attacker writes or modifies data on behalf of the hijacked identity, including submitting transactions, changing account settings, or altering application state. Revoked sessions (from logout, administrative action, or credential rotation) offer no protection; the attacker retains access for the full remaining validity window of any captured token, which is effectively unlimited. Any service in the same application that trusts a jwt.verify() result from the Perry library inherits the bypass, widening lateral reach across microservices sharing the same token issuer.

Back to search

CRITICALCVE-2026-53776Published 2026-06-16Modified 2026-06-16CNA VulnCheck

CVE-2026-53776: Perry < 0.5.1166 JWT Expiration Bypass via verify_decode

Q: What is CVE-2026-53776?

An authentication bypass vulnerability in the Perry JWT library (versions before 0.5.1166) allows a remote attacker to reuse expired bearer tokens indefinitely. The bug stems from the verify_decode helper unconditionally setting validate_exp = false, meaning the library never checks whether a JSON Web Token has expired. Any attacker who holds a previously issued token, including one from a session that was force-expired via logout or administrative revocation, can present that token to any jwt.verify() call and gain continued authenticated access. A patched-image rebuild at version 0.5.1166 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-53776 fixed?

A patched-image rebuild at Perry 0.5.1166 becomes available on HarborGuard as soon as the fix version is confirmed in the upstream feed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 0.5.1166
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in the Perry JWT library (versions before 0.5.1166) allows a remote attacker to reuse expired bearer tokens indefinitely. The bug stems from the verify_decode helper unconditionally setting validate_exp = false, meaning the library never checks whether a JSON Web Token has expired. Any attacker who holds a previously issued token, including one from a session that was force-expired via logout or administrative revocation, can present that token to any jwt.verify() call and gain continued authenticated access. A patched-image rebuild at version 0.5.1166 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53776 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle the Perry library directly. Any image layer containing a perry package below 0.5.1166 will surface this finding in the HarborGuard scan results.

Available

Triage

HarborGuard scores this finding at CVSS 9.3 Critical (v4.0) and weights it against each environment's compliance policy to determine urgency and routing. The finding is routed to the appropriate inbox within each customer organization based on configured policy rules, so the right team sees it without manual triage overhead.

Available

Patch

A patched-image rebuild at Perry 0.5.1166 becomes available on HarborGuard as soon as the fix version is confirmed in the upstream feed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the service over the network to present the expired token to a jwt.verify() endpoint.
AuthenticationNot required
No credential or account is needed beyond possession of a previously issued bearer token, which may have come from any prior session.
Victim interactionNot required
No user action is required; the attacker submits the expired token directly to the target service.
Attack complexityDetail
The exploit is straightforward and condition-free; no race conditions or special environmental configuration are required to bypass expiration validation.

Blast Radius

The attacker reads resources and data accessible to the identity bound to the expired token, including session state, user records, and any API responses gated behind authentication.
The attacker writes or modifies data on behalf of the hijacked identity, including submitting transactions, changing account settings, or altering application state.
Revoked sessions (from logout, administrative action, or credential rotation) offer no protection; the attacker retains access for the full remaining validity window of any captured token, which is effectively unlimited.
Any service in the same application that trusts a jwt.verify() result from the Perry library inherits the bypass, widening lateral reach across microservices sharing the same token issuer.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-53776 runs automatically against all images in customer registries and CI pipelines, with results available within minutes of CVE publication. For environments running Perry below 0.5.1166, a rebuilt image at the patched version is available through HarborGuard's rebuild pipeline. For customers who opt into auto-remediation, HarborGuard handles the full flow: rebuild the image at 0.5.1166, execute regression tests, and open a pull request against affected workloads. For critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual sign-off before merging, HarborGuard surfaces the PR with full diff and scan attestation for accelerated review. As a compensating control while patching is in progress, network policy can be tightened to limit which services accept bearer tokens, and JWT issuance TTLs can be shortened at the identity provider level to reduce the useful window of any token already in circulation.

See how HarborGuard automates this

Fix available

0.5.1166

Affected packages

PerryTS / perry
< 0.5.1166 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available