CVE-2026-53776
CRITICAL · 9.1real vuln, high CVSS, but zero-day window; no KEV, PoC, or active exploitation signal yet.
What: JWT validation bypass in Perry authentication library (before 0.5.1166) allows indefinite reuse of expired bearer tokens, bypassing session revocation and logout (CVSS 9.1 CRITICAL).
Why it matters: Published June 16, 2026 — same day as social chatter — affecting any application using Perry's jwt.verify() with expired tokens. High CVSS score and direct authentication bypass make this actionable for defenders. However, no KEV listing, no public PoC observed, and chatter is primarily vulnerability aggregator republication with no confirmed in-the-wild exploitation or urgent vendor patching signal.
Where it's seen: Threat intelligence feeds and security news sites amplifying the CVE metadata within hours of publication; no exploit code, defender triage questions, or vendor emergency patches noted yet.
RISK: CRITICAL — CVSS 9.1 authentication bypass; any Perry deployment exposed to token replay.
Description
Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- None