CVE-2026-53776 | Perry before 0.5.1166 contains a JWT validation vulnerabilit… | CVSS 9.1 CRITICAL

Description

Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.

Metadata

CVE ID: CVE-2026-53776
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-10 20:14 UTC
Published: 2026-06-16 15:18 UTC
Last updated: 2026-06-16 17:10 UTC
Primary CWE: CWE-613
Insufficient Session Expiration
Vendor / Product: PerryTS / perry
Sources: cve.org · NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
PerryTS	perry	—	0 < 0.5.1166

Weakness (CWE)

CWE	Source	Description
CWE-613	cna	Insufficient Session Expiration

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
9.1	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (3)