Hi GitHub,
Our automated CVSS enrichment pipeline detected some discrepancies between GitHub's provided vector and ours. Since this also passed a GitHub review, I thought it would be helpful to share my insights here, so that the vector or its justification might be corrected. For reference, this was the output from our AI pipeline: https://graph.volerion.com/view?id=CVE-2026-39413.
The current vector states AC:H, PR:H, UI:R, but an actual attack seems to involve only an unauthenticated attacker forging a valid JWT via a 'none' algorithm, therefore encountering none of those exploitation barriers.
Additionally, I would make the point that C:H/I:N/A:N is best changed to C:H/I:H/A:N to better reflect the potential administrator access an attacker might obtain after successful exploitation.
This comes down to a final vector of:
https://volerion.com/cvss/3.1#vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
A pretty steep upgrade from a base score of 4.2 to 9.1.
I have hundreds more in the pipeline for 2026 alone, but unfortunately, I don't have the bandwidth to go through them all of them in this manner. Feel free to email me at karel@volerion.com and perhaps we can work out a more streamlined method of setting the records straight.
Thanks!
Hi GitHub,
Our automated CVSS enrichment pipeline detected some discrepancies between GitHub's provided vector and ours. Since this also passed a GitHub review, I thought it would be helpful to share my insights here, so that the vector or its justification might be corrected. For reference, this was the output from our AI pipeline: https://graph.volerion.com/view?id=CVE-2026-39413.
The current vector states
AC:H,PR:H,UI:R, but an actual attack seems to involve only an unauthenticated attacker forging a valid JWT via a 'none' algorithm, therefore encountering none of those exploitation barriers.Additionally, I would make the point that
C:H/I:N/A:Nis best changed toC:H/I:H/A:Nto better reflect the potential administrator access an attacker might obtain after successful exploitation.This comes down to a final vector of:
https://volerion.com/cvss/3.1#vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
A pretty steep upgrade from a base score of 4.2 to 9.1.
I have hundreds more in the pipeline for 2026 alone, but unfortunately, I don't have the bandwidth to go through them all of them in this manner. Feel free to email me at karel@volerion.com and perhaps we can work out a more streamlined method of setting the records straight.
Thanks!