CVE-2026-45363 — jwt/ruby-jwt

Q: What is the impact of CVE-2026-45363?

CVSS 7.4 High. The vulnerability class is Disclosed vulnerability.

Q: Where can I find authoritative references?

NVD record, MITRE CVE record, and the vendor security advisory.

Summary

CVE-2026-45363 is a high-severity vulnerability affecting jwt/ruby-jwt (Ruby): Empty-key HMAC bypass.

References

NVD↗MITRE↗Vendor / Advisory↗PoC repo (if published)↗

Disclosure

Reported by Kai Aizen. Status: NVD: RESERVED. Coordinated through standard NVD/MITRE/GHSA channels.

Frequently asked

CVE-2026-45363 — questions & answers

What is CVE-2026-45363?

CVE-2026-45363 is a disclosed vulnerability (Disclosed vulnerability) in jwt/ruby-jwt, coordinated through the standard CVE process by independent security researcher Kai Aizen.

Am I affected by CVE-2026-45363?

You are affected if your environment runs an unpatched version of jwt/ruby-jwt. Check the upstream advisory or NVD record for the precise affected version range, then verify against your deployed version.

How do I fix CVE-2026-45363?

Upgrade jwt/ruby-jwt to the version that includes the upstream fix referenced in the NVD record. If an immediate upgrade is not possible, apply the mitigation guidance from the vendor advisory and restrict exposure of the affected surface area.

What is the impact of CVE-2026-45363?

CVSS 7.4 · High. The vulnerability class is Disclosed vulnerability; consult the NVD and vendor advisory for vector details, exploitation prerequisites, and observed impact.

Where can I find authoritative references?

NVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-45363, the MITRE CVE record at https://www.cve.org/CVERecord?id=CVE-2026-45363, and the vendor's security advisory page.