>samit_hota
Back to advisories
SH-2026-001CriticalMitigated

Authentication Bypass via JWT alg=none in Solandra Commerce API

Samit Hota··Updated June 25, 2026
CVE ID
Pending CVE assignment
CVSS Score
9.1
Affected Products
Solandra Commerce API <= 3.4.2
#authentication#jwt#api-security

Overview

During an assessment of a customer’s API gateway, Solandra Commerce API’s authentication middleware was found to accept JSON Web Tokens signed with "alg": "none", allowing an attacker to forge arbitrary tokens — including tokens claiming administrative privileges — without knowledge of any signing key.

Impact

An unauthenticated attacker able to submit a crafted request could impersonate any user, including administrative accounts, and gain full read/write access to every resource exposed through the API. This is a complete authentication bypass.

Affected Products

  • Solandra Commerce API, all versions up to and including 3.4.2

Technical Details

The token verification middleware selected its verification algorithm based on the alg field present in the attacker-supplied JWT header rather than enforcing a fixed, expected algorithm. Submitting a token with alg: none and an empty signature segment caused the library to skip signature verification entirely while still parsing and trusting the claims in the payload.

At a high level, the forged token’s structure was:

{ "alg": "none", "typ": "JWT" }
.
{ "sub": "admin", "role": "superuser" }
.

with the trailing signature segment left empty — no cryptographic material was required to produce a token the API treated as valid.

Remediation

Solandra shipped 3.4.3, which hardcodes the expected signing algorithm on the verification side and rejects any token whose header does not match it, regardless of what the token itself claims. Organizations running an older version should upgrade immediately or, if patching isn’t immediately possible, add a gateway-level rule rejecting any JWT with alg: none.

Disclosure Timeline

  • 2026-06-02 — Vulnerability identified during a client engagement, private disclosure sent to Solandra
  • 2026-06-09 — Solandra confirmed the finding and began work on a fix
  • 2026-06-20 — Patched release (3.4.3) shipped to customers
  • 2026-06-25 — Public advisory published following the coordinated disclosure window

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call