Summary
The v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response.
Background
In the v1 auth flow (Nuts RFC003), access tokens are JWTs signed by the authorizer's key with:
iss= authorizer organization DIDsub= requester organization DIDservice= purpose of use (e.g."eOverdracht")typheader ="JWT"(default, not explicitly set)
Verifiable Presentations are also JWTs with typ: "JWT" (per W3C VC Data Model 1.1). The W3C VC Data Model 2.0 changed this to vp+jwt specifically to prevent this class of confusion attack (See Securing Verifiable Credentials using JOSE and COSE 3.1.1).
Vulnerability details
The introspection endpoint performs only standard JWT checks. It does not perform the following Nuts-specific access token checks:
- Validate the
typheader: both ATs and VPs use"JWT" - Bind
issto the signing key: it doesn't verify that theissclaim matches the DID extracted from thekid - Validate required claims:
servicecan be empty;vpclaim is silently ignored byFromMap()which uses lenient JSON unmarshaling
Attack scenario
Prerequisites: Attacker (Org B) has received a VP JWT from the victim (Org A) during a normal access token request flow.
- Org A creates a VP JWT signed with Org A's key and sends it to Org B (normal protocol flow) to request an access token
- Org B presents this VP JWT to Org A's resource server as a bearer access token
- Resource server calls Org A's v1 introspection endpoint
- Introspection checks
privateKeyStore.Exists(kid), which passes, because Org A's key is on Org A's node - JSON unmarshaling is lenient; the
vpclaim is silently ignored - Returns
active: truewithservice: "",iss: "",sub: <Org A's DID>
Mitigating factors
serviceis empty: resource servers that strictly require a non-emptyservicefield may reject the request at the application levelissis empty: VP JWTs don't setiss, so resource servers checking this field would see an empty value- Short-lived VPs: VPs typically expire within minutes, narrowing the attack window
- v1 is legacy: the v2 flow uses opaque access tokens and is not affected
Severity rationale
While the introspection endpoint incorrectly returns active: true for a replayed VP, we consider this not practically exploitable in the current deployment landscape. Resource servers require valid service, iss and aud values to route requests to the correct databases. A replayed VP returns empty service, empty iss, and wrong sub (Org A instead of B), making it unusable for meaningful access. The attack also requires the victim to first present a VP to the attacker through a legitimate protocol flow, and VPs are short-lived.
The severity reflects that the protection against exploitation is accidental (resource servers need service for routing, not for security) and we cannot guarantee how all resource server implementations handle the active: true response with missing fields.
The fix
Affected versions: all v5.x releases prior to v5.4.31, and all v6.x releases prior to v6.2.3. From v5.4.31 and v6.2.3 onward, the following checks have been added to IntrospectAccessToken:
iss-to-kidbinding: extract the DID from thekidheader and verify it matches theissclaim- Required claims validation: reject tokens where
serviceis empty typheader validation: requires access tokens to be oftyp: "at+jwt"
Additionally, the access token creation code has been updated to use typ: "at+jwt" per RFC 9068.
Workaround
If users are unable to update their nuts-node, resource servers can mitigate this risk by explicitly validating the introspection response: reject responses where service is empty, where iss is empty or does not match the expected authorizer DID, or where sub does not match the expected requester DID (Org B instead of A).
Impact
CVE-2026-41164 has a CVSS score of 4.4 (Medium). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Patches are available at https://github.com/nuts-foundation/nuts-node/releases/tag/v5.4.31 and https://github.com/nuts-foundation/nuts-node/releases/tag/v6.2.3.
Frequently Asked Questions
- What is CVE-2026-41164? CVE-2026-41164 is a medium-severity security vulnerability in github.com/nuts-foundation/nuts-node (go), affecting versions <= 1.1.0. No fixed version is listed yet.
- How severe is CVE-2026-41164? CVE-2026-41164 has a CVSS score of 4.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/nuts-foundation/nuts-node are affected by CVE-2026-41164? github.com/nuts-foundation/nuts-node (go) versions <= 1.1.0 is affected.
- Is there a fix for CVE-2026-41164? No fixed version is listed for CVE-2026-41164 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-41164 exploitable, and should I be worried? Whether CVE-2026-41164 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-41164 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.