CVE-2026-41164
Published:May 26, 2026
Updated:June 11, 2026
nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response. This vulnerability is fixed in 6.2.3 and 5.4.31.
Affected Packages
https://github.com/nuts-foundation/nuts-node.git (GITHUB):
Affected version(s) >=v5.0.0 <v5.4.31Fix Suggestion:
Update to version v5.4.31https://github.com/nuts-foundation/nuts-node.git (GITHUB):
Affected version(s) >=v6.0.0 <v6.2.3Fix Suggestion:
Update to version v6.2.3github.com/nuts-foundation/nuts-node (GO):
Affected version(s) >=v5.0.0 <v5.4.31Fix Suggestion:
Update to version v5.4.31github.com/nuts-foundation/nuts-node (GO):
Affected version(s) >=v6.0.0 <v6.2.3Fix Suggestion:
Update to version v6.2.3Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Insufficient Verification of Data Authenticity
EPSS
Base Score:
0.01