CVE-2026-53776
CriticalCVSS 9.1Summary
Perry before version 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration. By exploiting the unconditional setting of validate_exp = false, attackers can use expired tokens to retain authenticated access indefinitely.
Risk Assessment
Organizations may be exposed to unauthorized access as attackers can exploit expired tokens to maintain user sessions, jeopardizing data security.
Recommendation
It is recommended to update to the latest version of Perry to mitigate this vulnerability and implement additional token verification mechanisms.
Original NVD description (English source)
Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.

