PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45795 JanssenProject CVE debrief

The Janssen Project, an open-source identity and access management (IAM) platform, had a vulnerability in jans-auth-server where it accepted unsigned JWE request objects. This was due to JwtAuthorizationRequest skipping inner signature validation when jwe.getSignedJWTPayload() returned null, and AuthzRequestService.processRequestObject() not rejecting the unrecognized RSA-OAEP algorithm when forceSignedRequestObject=true. The issue was fixed in version 2.0.0. This vulnerability could impact organizations using the Janssen Project IAM platform, particularly those with exposed deployments. Affected product or component is jans-auth-server, and the vulnerability class is related to improper validation of JWE request objects.

Vendor
JanssenProject
Product
jans
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of the Janssen Project IAM platform, particularly those using versions prior to 2.0.0, should be aware of this vulnerability and take steps to upgrade or apply mitigations. Affected operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability details and assess their exposure.

Technical summary

The vulnerability in jans-auth-server allowed unsigned JWE request objects to be accepted due to improper validation. Specifically, JwtAuthorizationRequest did not validate inner signatures when jwe.getSignedJWTPayload() returned null. Additionally, AuthzRequestService.processRequestObject() did not reject the RSA-OAEP algorithm when forceSignedRequestObject=true. This issue was addressed in version 2.0.0. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. Technical details are limited to publicly available sources, and defenders should focus on upgrading to version 2.0.0 or applying compensating controls.

Defensive priority

Medium priority should be given to upgrading to version 2.0.0 or applying compensating controls to mitigate the risk of this vulnerability. Defenders should review the official advisory and CVE record for guidance on affected scope and severity.

Recommended defensive actions

  • Upgrade to Janssen Project version 2.0.0 or later
  • Review and adjust AuthzRequestService.processRequestObject() to properly handle forceSignedRequestObject=true
  • Implement additional monitoring and validation for JWE request objects
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record and NVD entry provide details on the vulnerability and its fix. The Janssen Project's GitHub repository contains commits and releases related to this issue. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments, review official advisories, and track vendor guidance for updates. Additional monitoring and validation for JWE request objects may be necessary.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:56.820Z and has not been modified since.