PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41164 nuts-foundation CVE debrief

CVE-2026-41164 is a MEDIUM severity (CVSS 4.4) vulnerability in nuts-node, the reference implementation of the Nuts specification. Published on 2026-05-26, this issue affects versions prior to 6.2.3 and 5.4.31. The vulnerability resides in the v1 access token introspection endpoint (/auth/v1/introspect_access_token), which accepts any JWT signed by a key present on the node without validating the JWT type, issuer-to-key binding, or required claims. This insufficient verification allows a Verifiable Presentation (VP) JWT to be replayed as an access token, resulting in an active: true introspection response. The root cause is classified under CWE-345 (Insufficient Verification of Data Authenticity). The vendor has released fixes in versions 6.2.3 and 5.4.31.

Vendor
nuts-foundation
Product
nuts-node
CVSS
MEDIUM 4.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations running nuts-node implementations for decentralized identity and healthcare data exchange, particularly those relying on the v1 access token introspection endpoint for authorization decisions. Security teams responsible for OAuth 2.0 and OpenID Connect deployments in healthcare or government sectors using Nuts specification implementations.

Technical summary

The nuts-node v1 access token introspection endpoint fails to validate JWT type, issuer-to-key binding, and required claims when processing tokens. Any JWT signed by a key on the node is accepted, enabling Verifiable Presentation JWTs to be replayed as access tokens with successful introspection responses. Fixed in 6.2.3 and 5.4.31.

Defensive priority

medium

Recommended defensive actions

  • Upgrade nuts-node to version 6.2.3 or 5.4.31 or later
  • Review access token introspection endpoint implementations for proper JWT type validation
  • Verify issuer-to-key binding checks are enforced before accepting JWTs as valid access tokens
  • Implement required claims validation for all JWTs processed by authentication endpoints
  • Audit logs for unexpected active introspection responses that may indicate VP JWT replay attempts

Evidence notes

Official CVE record and NVD entry confirm CVSS 3.1 score of 4.4 (AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N). GitHub Security Advisory GHSA-9hmg-827w-9rhj provides technical details on the vulnerable endpoint behavior and fix versions. NVD status is currently 'Deferred'.

Official resources

2026-05-26