PatchSiren cyber security CVE debrief
CVE-2026-45795 JanssenProject CVE debrief
The Janssen Project, an open-source identity and access management (IAM) platform, had a vulnerability in jans-auth-server where it accepted unsigned JWE request objects. This was due to JwtAuthorizationRequest skipping inner signature validation when jwe.getSignedJWTPayload() returned null, and AuthzRequestService.processRequestObject() not rejecting the unrecognized RSA-OAEP algorithm when forceSignedRequestObject=true. The issue was fixed in version 2.0.0. This vulnerability could impact organizations using the Janssen Project IAM platform, particularly those with exposed deployments. Affected product or component is jans-auth-server, and the vulnerability class is related to improper validation of JWE request objects.
- Vendor
- JanssenProject
- Product
- jans
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of the Janssen Project IAM platform, particularly those using versions prior to 2.0.0, should be aware of this vulnerability and take steps to upgrade or apply mitigations. Affected operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability details and assess their exposure.
Technical summary
The vulnerability in jans-auth-server allowed unsigned JWE request objects to be accepted due to improper validation. Specifically, JwtAuthorizationRequest did not validate inner signatures when jwe.getSignedJWTPayload() returned null. Additionally, AuthzRequestService.processRequestObject() did not reject the RSA-OAEP algorithm when forceSignedRequestObject=true. This issue was addressed in version 2.0.0. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. Technical details are limited to publicly available sources, and defenders should focus on upgrading to version 2.0.0 or applying compensating controls.
Defensive priority
Medium priority should be given to upgrading to version 2.0.0 or applying compensating controls to mitigate the risk of this vulnerability. Defenders should review the official advisory and CVE record for guidance on affected scope and severity.
Recommended defensive actions
- Upgrade to Janssen Project version 2.0.0 or later
- Review and adjust AuthzRequestService.processRequestObject() to properly handle forceSignedRequestObject=true
- Implement additional monitoring and validation for JWE request objects
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record and NVD entry provide details on the vulnerability and its fix. The Janssen Project's GitHub repository contains commits and releases related to this issue. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments, review official advisories, and track vendor guidance for updates. Additional monitoring and validation for JWE request objects may be necessary.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:56.820Z and has not been modified since.