CVE-2026-23993: JWT authentication bypass in HarbourJwt via "unknown alg" (pentesterlab.com)

A significant security flaw, identified as CVE-2026-23993, has been discovered in the HarbourJwt library, which allows for JWT (JSON Web Token) authentication bypass. The issue arises when the header of a JWT contains an unrecognized algorithm value; the library's signature verification logic fails to appropriately handle these unknown algorithms, allowing attackers to forge tokens and bypass authentication without needing a secret key or any cryptographic skills. This vulnerability highlights critical weaknesses in the library's handling of JWTs, where returning an empty signature for unrecognized algorithms leads to matches during verification checks. The importance of this finding extends beyond HarbourJwt, illustrating broader implications for the security of JWT implementations across various languages. Using an innovative approach, the researcher leveraged a large language model (LLM) to assist in identifying and reviewing multiple JWT libraries, showcasing how AI can enhance security research. The maintainer has since patched the vulnerability by incorporating checks for algorithm errors into the verification process, ensuring that any unsupported algorithms will now lead to failed authentication. This incident serves as a reminder of the vital role of automated tools and diligent manual review in maintaining secure software, particularly in authentication mechanisms which are critical to numerous applications.