{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25554", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-02T20:12:33.395Z", "datePublished": "2026-02-25T16:54:11.845Z", "dateUpdated": "2026-05-11T23:11:08.970Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSIPS", "repo": "https://github.com/OpenSIPS/opensips", "vendor": "OpenSIPS", "versions": [{"lessThan": "3.6.4", "status": "affected", "version": "3.1", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensips:opensips:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.4", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Pavel Kohout, Aisle Research, www.aisle.com"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities."}], "value": "OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.3, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-11T23:11:08.970Z"}, "references": [{"tags": ["release-notes"], "url": "https://opensips.org/pub/opensips/3.6.4/ChangeLog"}, {"tags": ["issue-tracking"], "url": "https://github.com/OpenSIPS/opensips/pull/3807"}, {"tags": ["patch"], "url": "https://github.com/OpenSIPS/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05"}, {"tags": ["product"], "url": "https://opensips.org/"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/opensips-auth-jwt-sql-injection-enables-jwt-authentication-bypass"}], "source": {"discovery": "UNKNOWN"}, "title": "OpenSIPS 3.1 <= 3.6.4 auth_jwt SQL Injection Enables JWT Authentication Bypass", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:43:08.070958Z", "id": "CVE-2026-25554", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:43:16.807Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25554", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T16:43:08.070958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T19:35:36.791Z"}}], "cna": {"title": "OpenSIPS 3.1 <= 3.6.4 auth_jwt SQL Injection Enables JWT Authentication Bypass", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pavel Kohout, Aisle Research, www.aisle.com"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/OpenSIPS/opensips", "vendor": "OpenSIPS", "product": "OpenSIPS", "versions": [{"status": "affected", "version": "3.1", "lessThan": "3.6.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://opensips.org/pub/opensips/3.6.4/ChangeLog", "tags": ["release-notes"]}, {"url": "https://github.com/OpenSIPS/opensips/pull/3807", "tags": ["issue-tracking"]}, {"url": "https://github.com/OpenSIPS/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05", "tags": ["patch"]}, {"url": "https://opensips.org/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/opensips-auth-jwt-sql-injection-enables-jwt-authentication-bypass", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.", "supportingMedia": [{"type": "text/html", "value": "OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opensips:opensips:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.6.4", "versionStartIncluding": "3.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T18:02:52.174Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25554", "state": "PUBLISHED", "dateUpdated": "2026-03-05T18:02:52.174Z", "dateReserved": "2026-02-02T20:12:33.395Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-25T16:54:11.845Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities."}, {"lang": "es", "value": "Las versiones de OpenSIPS 3.1 anteriores a la 3.6.4 que contienen el m\u00f3dulo auth_jwt (anterior al commit 3822d33) contienen una vulnerabilidad de inyecci\u00f3n SQL en la funci\u00f3n jwt_db_authorize() en modules/auth_jwt/authorize.c cuando db_mode est\u00e1 habilitado y se utiliza un backend de base de datos SQL. La funci\u00f3n extrae la tag claim de un JWT sin verificaci\u00f3n de firma previa e incorpora el valor sin escapar directamente en una consulta SQL. Un atacante puede proporcionar un JWT manipulado con una tag claim maliciosa para manipular el resultado de la consulta y eludir la autenticaci\u00f3n JWT, permitiendo la suplantaci\u00f3n de identidades arbitrarias."}], "id": "CVE-2026-25554", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-25T18:23:40.617", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/OpenSIPS/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/OpenSIPS/opensips/pull/3807"}, {"source": "disclosure@vulncheck.com", "url": "https://opensips.org/"}, {"source": "disclosure@vulncheck.com", "url": "https://opensips.org/pub/opensips/3.6.4/ChangeLog"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/opensips-auth-jwt-sql-injection-enables-jwt-authentication-bypass"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{"bugzilla": {"description": "opensips: OpenSIPS: Authentication bypass due to SQL injection in JWT processing", "id": "2442687", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442687"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-89", "details": ["A flaw was found in OpenSIPS. The auth_jwt module, when configured with db_mode and a SQL database backend, contains a SQL injection vulnerability in the jwt_db_authorize() function. This function extracts the tag claim from a JSON Web Token (JWT) without verifying its signature and directly incorporates the unescaped value into a SQL query. A remote attacker can exploit this by supplying a crafted JWT with a malicious tag claim, leading to manipulation of query results, bypass of JWT authentication, and impersonation of arbitrary identities."], "name": "CVE-2026-25554", "public_date": "2026-02-25T16:54:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25554\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25554\nhttps://github.com/OpenSIPS/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05\nhttps://github.com/OpenSIPS/opensips/pull/3807\nhttps://opensips.org/\nhttps://opensips.org/pub/opensips/3.6.4/ChangeLog\nhttps://www.vulncheck.com/advisories/opensips-auth-jwt-sql-injection-enables-jwt-authentication-bypass"], "statement": "This is an IMPORTANT flaw in OpenSIPS. The vulnerability exists when the `auth_jwt` module is enabled, configured with `db_mode`, and utilizes a SQL database backend for JWT authorization. An attacker can exploit this specific configuration to bypass authentication and impersonate identities by crafting a malicious JWT. Systems are only affected if OpenSIPS is deployed with this particular configuration.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.1,3.6.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenSIPS", "source": "cna", "vendor": "OpenSIPS"}, "product": "opensips", "vendor": "opensips"}], "analysis": {"en": {"generated_at": "2026-04-17T15:05:04.181344+00:00", "value": {"mitigation_remediation": ["Upgrade OpenSIPS to version 3.6.4 or later, which includes the patch for the auth_jwt SQL injection.\n", "If an upgrade is not immediately feasible, disable the db_mode option in the auth_jwt module to eliminate the vulnerable code path.\n", "Configure the JWT handling to perform signature verification before extracting any claim values, ensuring that only valid tokens are processed."], "summary": {"action": "Immediate Patch", "impact": "Impersonation through JWT authentication bypass via SQL injection"}, "threat_synthesis": {"affected_systems": "OpenSIPS server software, versions 3.1 up to and including 3.6.4, when the auth_jwt module is enabled with db_mode and a relational database backend. The vulnerability exists in all releases before the commit that fixes the issue.\n", "description_and_impact": "A SQL injection flaw in the auth_jwt module allows an attacker to insert malicious content into the tag claim of a JSON Web Token (JWT). Because the module does not verify the token\u2019s signature before using the claim, the unescaped value is embedded directly into a SQL statement against the authentication database. This enables the attacker to manipulate the query and force the authentication routine to accept the token, thereby bypassing normal authentication controls and allowing impersonation of any user.\n", "risk_and_exploitability": "The CVSS score of 8.3 indicates high severity, but the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack requires only the ability to send a crafted JWT to the OpenSIPS instance, implying a remote capability that makes it potentially exploitable over the network, especially where JWTs are accepted without signature validation.\n"}}}}, "created": "2026-02-26T13:15:17.264188+00:00", "updated": "2026-04-17T15:15:21.822693+00:00", "vendors": ["opensips", "opensips$PRODUCT$opensips"]}