PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25554 OpenSIPS CVE debrief

CVE-2026-25554 is a SQL injection vulnerability in OpenSIPS versions 3.1 before 3.6.4. The auth_jwt module is affected when db_mode is enabled and a SQL database backend is used. The vulnerability allows an attacker to manipulate the query result and bypass JWT authentication, enabling impersonation of arbitrary identities. This could lead to unauthorized access and potential data breaches. OpenSIPS users should prioritize patching to prevent potential authentication bypass and impersonation attacks.

Vendor
OpenSIPS
Product
Unknown
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-25
Original CVE updated
2026-07-14
Advisory published
2026-02-25
Advisory updated
2026-07-14

Who should care

Users of OpenSIPS versions 3.1 before 3.6.4 who have the auth_jwt module enabled with db_mode and a SQL database backend should prioritize patching to prevent potential authentication bypass and impersonation attacks. This includes OpenSIPS administrators, security teams, and operators responsible for maintaining and securing communication infrastructure.

Technical summary

The jwt_db_authorize() function in modules/auth_jwt/authorize.c extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. This allows an attacker to supply a crafted JWT with a malicious tag claim to manipulate the query result. The vulnerability is specific to the auth_jwt module when used with db_mode and a SQL database backend. Users should update to OpenSIPS version 3.6.4 or later to address this issue.

Defensive priority

High priority should be given to patching OpenSIPS installations using the auth_jwt module with db_mode and a SQL backend, as the vulnerability enables authentication bypass and impersonation. Additional defensive measures include monitoring for suspicious activity, implementing compensating controls, and reviewing incident response plans.

Recommended defensive actions

  • Patch OpenSIPS to version 3.6.4 or later
  • Disable db_mode for the auth_jwt module if not required
  • Use a non-SQL backend for the auth_jwt module
  • Implement compensating controls such as JWT signature verification and input validation
  • Monitor for suspicious authentication attempts and JWT usage
  • Review and update incident response plans to address potential authentication bypass
  • Conduct a thorough review of OpenSIPS deployments to identify and mitigate potential exposure

Evidence notes

The CVE record was published on 2026-02-25T18:23:40.617Z and was last modified on 2026-07-14T16:16:53.570Z. The NVD entry is currently Deferred. The OpenSIPS project has confirmed the vulnerability and provided patches. Users should verify their deployments and apply patches or mitigations as needed. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-25T18:23:40.617Z and has not been modified since then. The NVD entry is currently Deferred.