2442687 – (CVE-2026-25554) CVE-2026-25554 opensips: OpenSIPS: Authentication bypass due to SQL injection in JWT processing

Bug 2442687 (CVE-2026-25554) - CVE-2026-25554 opensips: OpenSIPS: Authentication bypass due to SQL injection in JWT processing

Summary: CVE-2026-25554 opensips: OpenSIPS: Authentication bypass due to SQL injection...

Keywords:
Status:	NEW
Alias:	CVE-2026-25554
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2442706
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-25 18:05 UTC by OSIDB Bzimport
Modified:	2026-02-25 19:31 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-25 18:05:00 UTC

OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.

Comment 2 Peter Lemenkov 2026-02-25 19:31:10 UTC

There is some misunderstanding. I believe 3.6.4 already contains a fix - https://github.com/OpenSIPS/opensips/commit/2ce53bf26ea2a37032f61db9c8d2a671ab969b22. I am building only a package for F-42 (it still affected).

Note You need to log in before you can comment on or make changes to this bug.