CVE-2026-25554 Overview
CVE-2026-25554 is a SQL Injection vulnerability affecting OpenSIPS versions 3.1 before 3.6.4 in the auth_jwt module. The vulnerability exists in the jwt_db_authorize() function within modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without performing prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.
Critical Impact
Successful exploitation allows attackers to bypass JWT authentication entirely and impersonate any user identity, potentially granting unauthorized access to protected SIP communications and infrastructure.
Affected Products
- OpenSIPS versions 3.1 through 3.6.3 (prior to 3.6.4)
- OpenSIPS installations using the auth_jwt module with db_mode enabled
- OpenSIPS deployments using SQL database backends for JWT authentication
Discovery Timeline
- 2026-02-25 - CVE-2026-25554 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-25554
Vulnerability Analysis
This vulnerability represents a classic SQL injection flaw combined with an authentication bypass due to improper input validation sequencing. The jwt_db_authorize() function in the auth_jwt module processes JWT tokens by extracting claims before validating the JWT signature. When the db_mode configuration is enabled, the extracted tag claim is used directly in SQL queries to look up user credentials or permissions from the database backend.
The critical security flaw is twofold: first, the JWT signature is not verified before extracting and using claim values; second, the tag claim value is not properly escaped or parameterized before being concatenated into the SQL query string. This allows an attacker to craft a malicious JWT containing SQL injection payloads in the tag claim field, which are then executed against the database.
Since signature verification occurs after claim extraction and database query execution, an attacker does not need to possess a valid signing key. They can forge a JWT with any arbitrary payload, including SQL injection strings, that will be processed and executed against the backend database.
Root Cause
The root cause is missing input sanitization in the jwt_db_authorize() function. The code path extracts the tag claim from the JWT payload and directly incorporates it into a SQL query without escaping special characters or using parameterized queries. The fix, implemented in commit 3822d33c1c6b25832fdd88da1d23eed74be55b05, adds the strcommon.h header which provides string escaping functionality to properly sanitize user-controlled input before SQL query construction.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can craft a malicious JWT with a specially constructed tag claim containing SQL injection syntax. When this JWT is submitted to an OpenSIPS server with the vulnerable auth_jwt module configured with db_mode enabled, the SQL injection payload is executed against the database. This can be used to manipulate query results to return valid authentication data for arbitrary users, effectively bypassing the JWT authentication mechanism entirely.
// Security patch adding proper string escaping functionality
// Source: https://github.com/OpenSIPS/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05
#include "../../usr_avp.h"
#include "../../mod_fix.h"
#include "../../mem/mem.h"
+#include "../../strcommon.h"
#include "jwt_avps.h"
#include "authjwt_mod.h"
The patch adds the strcommon.h include, which provides string manipulation and escaping functions to properly sanitize the tag claim value before it is used in SQL queries, preventing SQL injection attacks.
Detection Methods for CVE-2026-25554
Indicators of Compromise
- Unusual JWT tokens in SIP authentication requests containing SQL syntax characters such as single quotes, semicolons, or SQL keywords
- Database query errors or anomalies in OpenSIPS logs related to JWT authentication
- Successful authentications for users without corresponding legitimate JWT issuance
- Unexpected modifications to authentication-related database tables
Detection Strategies
- Monitor SIP REGISTER and INVITE requests for JWT tokens containing SQL injection patterns in claim fields
- Implement database query logging and alerting for unusual patterns in queries originating from the auth_jwt module
- Deploy Web Application Firewall (WAF) or SIP-aware intrusion detection rules to identify SQL injection attempts in JWT payloads
- Audit authentication logs for successful logins that cannot be correlated with legitimate JWT token issuance
Monitoring Recommendations
- Enable verbose logging for the OpenSIPS auth_jwt module to capture all authentication attempts
- Configure database audit logging to track queries executed by the OpenSIPS database connection
- Implement real-time alerting for authentication anomalies such as authentication from unexpected sources
- Review SIP signaling traffic for malformed or suspicious JWT tokens in authentication headers
How to Mitigate CVE-2026-25554
Immediate Actions Required
- Upgrade OpenSIPS to version 3.6.4 or later immediately
- If upgrade is not immediately possible, disable the auth_jwt module or switch to a non-SQL backend temporarily
- Review authentication logs for any evidence of exploitation
- Audit user accounts and permissions for unauthorized changes
Patch Information
The vulnerability is fixed in OpenSIPS version 3.6.4. The security fix is implemented in commit 3822d33c1c6b25832fdd88da1d23eed74be55b05, which adds proper string escaping for the JWT tag claim before SQL query construction. Organizations should upgrade to version 3.6.4 or apply the patch from GitHub Pull Request #3807. The complete changelog for version 3.6.4 is available at the OpenSIPS ChangeLog.
Workarounds
- Disable the auth_jwt module if JWT authentication is not critical to operations
- Switch to a non-SQL database backend for JWT credential storage if supported
- Implement network-level access controls to restrict which clients can send SIP authentication requests
- Deploy a SIP-aware firewall or proxy that can inspect and filter malicious JWT tokens
# Configuration example - Disable auth_jwt module in opensips.cfg
# Comment out or remove the auth_jwt module load directive
# loadmodule "auth_jwt.so"
# Alternative: If using db_mode, switch to local mode temporarily
# modparam("auth_jwt", "db_mode", 0)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
