PatchSiren cyber security CVE debrief
CVE-2026-25554 OpenSIPS CVE debrief
CVE-2026-25554 is a SQL injection vulnerability in OpenSIPS versions 3.1 before 3.6.4. The auth_jwt module is affected when db_mode is enabled and a SQL database backend is used. The vulnerability allows an attacker to manipulate the query result and bypass JWT authentication, enabling impersonation of arbitrary identities. This could lead to unauthorized access and potential data breaches. OpenSIPS users should prioritize patching to prevent potential authentication bypass and impersonation attacks.
- Vendor
- OpenSIPS
- Product
- Unknown
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-25
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-25
- Advisory updated
- 2026-07-14
Who should care
Users of OpenSIPS versions 3.1 before 3.6.4 who have the auth_jwt module enabled with db_mode and a SQL database backend should prioritize patching to prevent potential authentication bypass and impersonation attacks. This includes OpenSIPS administrators, security teams, and operators responsible for maintaining and securing communication infrastructure.
Technical summary
The jwt_db_authorize() function in modules/auth_jwt/authorize.c extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. This allows an attacker to supply a crafted JWT with a malicious tag claim to manipulate the query result. The vulnerability is specific to the auth_jwt module when used with db_mode and a SQL database backend. Users should update to OpenSIPS version 3.6.4 or later to address this issue.
Defensive priority
High priority should be given to patching OpenSIPS installations using the auth_jwt module with db_mode and a SQL backend, as the vulnerability enables authentication bypass and impersonation. Additional defensive measures include monitoring for suspicious activity, implementing compensating controls, and reviewing incident response plans.
Recommended defensive actions
- Patch OpenSIPS to version 3.6.4 or later
- Disable db_mode for the auth_jwt module if not required
- Use a non-SQL backend for the auth_jwt module
- Implement compensating controls such as JWT signature verification and input validation
- Monitor for suspicious authentication attempts and JWT usage
- Review and update incident response plans to address potential authentication bypass
- Conduct a thorough review of OpenSIPS deployments to identify and mitigate potential exposure
Evidence notes
The CVE record was published on 2026-02-25T18:23:40.617Z and was last modified on 2026-07-14T16:16:53.570Z. The NVD entry is currently Deferred. The OpenSIPS project has confirmed the vulnerability and provided patches. Users should verify their deployments and apply patches or mitigations as needed. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-25T18:23:40.617Z and has not been modified since then. The NVD entry is currently Deferred.