{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-21T09:28:51.304","vulnerabilities":[{"cve":{"id":"CVE-2026-25554","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-02-25T18:23:40.617","lastModified":"2026-06-17T10:24:50.573","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities."},{"lang":"es","value":"Las versiones de OpenSIPS 3.1 anteriores a la 3.6.4 que contienen el módulo auth_jwt (anterior al commit 3822d33) contienen una vulnerabilidad de inyección SQL en la función jwt_db_authorize() en modules/auth_jwt/authorize.c cuando db_mode está habilitado y se utiliza un backend de base de datos SQL. La función extrae la tag claim de un JWT sin verificación de firma previa e incorpora el valor sin escapar directamente en una consulta SQL. Un atacante puede proporcionar un JWT manipulado con una tag claim maliciosa para manipular el resultado de la consulta y eludir la autenticación JWT, permitiendo la suplantación de identidades arbitrarias."}],"affected":[{"source":"disclosure@vulncheck.com","affectedData":[{"vendor":"OpenSIPS","product":"OpenSIPS","defaultStatus":"unaffected","repo":"https://github.com/OpenSIPS/opensips","versions":[{"version":"3.1","lessThan":"3.6.4","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":4.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-04T16:43:08.070958Z","id":"CVE-2026-25554","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Secondary","description":[{"lang":"en","value":"CWE-89"}]}],"references":[{"url":"https://github.com/OpenSIPS/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05","source":"disclosure@vulncheck.com"},{"url":"https://github.com/OpenSIPS/opensips/pull/3807","source":"disclosure@vulncheck.com"},{"url":"https://opensips.org/","source":"disclosure@vulncheck.com"},{"url":"https://opensips.org/pub/opensips/3.6.4/ChangeLog","source":"disclosure@vulncheck.com"},{"url":"https://www.vulncheck.com/advisories/opensips-auth-jwt-sql-injection-enables-jwt-authentication-bypass","source":"disclosure@vulncheck.com"}]}}]}