PatchSiren cyber security CVE debrief
CVE-2026-53776 PerryTS CVE debrief
CVE-2026-53776 is a critical vulnerability in Perry before version 0.5.1166. The vulnerability allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. This enables attackers in possession of a previously issued bearer token to present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, effectively bypassing force-expired sessions such as user logout or administrative revocation.
- Vendor
- PerryTS
- Product
- perry
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of Perry before version 0.5.1166 should update to version 0.5.1166 or later to mitigate this vulnerability. Attackers can exploit this vulnerability to bypass token expiration and retain authenticated access indefinitely.
Technical summary
The vulnerability is caused by the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. This allows attackers to bypass token expiration and retain authenticated access indefinitely.
Defensive priority
high
Recommended defensive actions
- Update Perry to version 0.5.1166 or later.
- Review and update any custom JWT verification implementations to ensure proper validation of token expiration.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4], [ref-5], and [ref-6].
Official resources
CVE-2026-53776 was published on [cvePublishedAt] and modified on [cveModifiedAt].