What is the severity of CVE-2026-35039?

CVE-2026-35039 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-35039?

No known public exploits are currently available for CVE-2026-35039.

Is there a patch available for CVE-2026-35039?

No official patches have been released yet for CVE-2026-35039. Consider implementing workarounds or mitigations.

CVE-2026-35039 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

No

Patch

Medium Priority

no patch

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

Setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to:

Valid tokens returning claims from different valid tokens
Users being mis-identified as other users based on the wrong token

This could result in:

User impersonation - UserB receives UserA's identity and permissions
Privilege escalation - Low-privilege users inherit admin-level access
Cross-tenant data access - Users gain access to other tenants' resources
Authorization bypass - Security decisions made on wrong user identity

Affected Configurations

This vulnerability ONLY affects applications that BOTH:

Enable caching using the cache option
Use custom cacheKeyBuilder functions that can produce collisions

VULNERABLE examples:

// Collision-prone: same audience = same cache key
cacheKeyBuilder: (token) => {
  const { aud } = parseToken(token)
  return `aud=${aud}`
}

// Collision-prone: grouping by user type
cacheKeyBuilder: (token) => {
  const { aud } = parseToken(token)
  return aud.includes('admin') ? 'admin-users' : 'regular-users'
}

// Collision-prone: tenant + service grouping
cacheKeyBuilder: (token) => {
  const { iss, aud } = parseToken(token)
  return `${iss}-${aud}`
}

SAFE examples:

// Default hash-based (recommended)
createVerifier({ cache: true })  // Uses secure default

// Include unique user identifier
cacheKeyBuilder: (token) => {
  const { sub, aud, iat } = parseToken(token)
  return `${sub}-${aud}-${iat}`
}

// No caching (always safe)
createVerifier({ cache: false })

Not Affected

Applications using default caching
Applications with caching disabled

Assessment Guide

To determine if a consumer application is affected:

Check if caching is enabled: Look for cache: true or cache: <number> in verifier configuration

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Ready for Agentic Automated Testing?

CVE-2026-35039

Impact

Affected Configurations

Not Affected

Assessment Guide

Mitigations