CVE-2026-53776 – Perry < 0.5.1166 JWT Expiration Bypass via verify_decode

CVE ID :CVE-2026-53776

Published : June 16, 2026, 5:16 p.m. | 25 minutes ago

Description :Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.

Severity: 9.3 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…