Impact Systems running registry version > 3.0.0-beta.1 with token authentication enabled. Patches Update to at least v3.0.0-rc.3 Workarounds There is no way to work around this issue without patching if your system requires token authentication. References The issue lies in how the JWK verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (kid) matches one of the trusted keys, but doesn't verify that the actual key material matches. Here's the problematic flow: An attacker generates their own key pair They create a JWT and include their public key in the JWK header They set the kid in the JWK to match one of the trusted keys' IDs (which they could potentially discover) They sign the JWT with their private key The registry only checks if the kid exists in the trusted keys map but then uses the attacker's public key from the JWK to verify the…Read More