Authentication Bypass via JWT alg=none in Solandra Commerce API
- CVE ID
- Pending CVE assignment
- CVSS Score
- 9.1
- Affected Products
- Solandra Commerce API <= 3.4.2
Overview
During an assessment of a customer’s API gateway, Solandra Commerce API’s authentication
middleware was found to accept JSON Web Tokens signed with "alg": "none",
allowing an attacker to forge arbitrary tokens — including tokens claiming
administrative privileges — without knowledge of any signing key.
Impact
An unauthenticated attacker able to submit a crafted request could impersonate any user, including administrative accounts, and gain full read/write access to every resource exposed through the API. This is a complete authentication bypass.
Affected Products
- Solandra Commerce API, all versions up to and including 3.4.2
Technical Details
The token verification middleware selected its verification algorithm based on
the alg field present in the attacker-supplied JWT header rather than
enforcing a fixed, expected algorithm. Submitting a token with alg: none and
an empty signature segment caused the library to skip signature verification
entirely while still parsing and trusting the claims in the payload.
At a high level, the forged token’s structure was:
{ "alg": "none", "typ": "JWT" }
.
{ "sub": "admin", "role": "superuser" }
.
with the trailing signature segment left empty — no cryptographic material was required to produce a token the API treated as valid.
Remediation
Solandra shipped 3.4.3, which hardcodes the expected signing algorithm on the
verification side and rejects any token whose header does not match it,
regardless of what the token itself claims. Organizations running an older
version should upgrade immediately or, if patching isn’t immediately possible,
add a gateway-level rule rejecting any JWT with alg: none.
Disclosure Timeline
- 2026-06-02 — Vulnerability identified during a client engagement, private disclosure sent to Solandra
- 2026-06-09 — Solandra confirmed the finding and began work on a fix
- 2026-06-20 — Patched release (3.4.3) shipped to customers
- 2026-06-25 — Public advisory published following the coordinated disclosure window
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call