Hi GitHub,
Our automated CVSS enrichment pipeline detected some discrepancies between GitHub's provided vector and ours. Since this also passed a GitHub review, I thought it would be helpful to share my insights here, so that the vector or its justification might be corrected. For reference, this was the output from our AI pipeline: https://graph.volerion.com/view?id=CVE-2026-35039.
For the current vector, PR:N was set, but exploitation requires an attacker to possess a valid JWT, which is an authentication artifact, and therefore constitutes at least a low privilege requirement.
Additionally, impact could have been downgraded to C:L/I:L due to the fact it may not be reasonable to believe that an attacker could obtain administrator-like control in most implementations involving this library. However, since that is also arguably the most subjective part of the CVSS specification, I won't press that point if you feel otherwise.
My suggestion would be to change PR:N to PR:L which comes down to a final vector of:
https://volerion.com/cvss/3.1#vector=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Thanks!
Hi GitHub,
Our automated CVSS enrichment pipeline detected some discrepancies between GitHub's provided vector and ours. Since this also passed a GitHub review, I thought it would be helpful to share my insights here, so that the vector or its justification might be corrected. For reference, this was the output from our AI pipeline: https://graph.volerion.com/view?id=CVE-2026-35039.
For the current vector,
PR:Nwas set, but exploitation requires an attacker to possess a valid JWT, which is an authentication artifact, and therefore constitutes at least a low privilege requirement.Additionally, impact could have been downgraded to
C:L/I:Ldue to the fact it may not be reasonable to believe that an attacker could obtain administrator-like control in most implementations involving this library. However, since that is also arguably the most subjective part of the CVSS specification, I won't press that point if you feel otherwise.My suggestion would be to change
PR:NtoPR:Lwhich comes down to a final vector of:https://volerion.com/cvss/3.1#vector=CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Thanks!