A JWT Confusion Attack exploits a server's failure to strictly validate the alg header parameter in a JSON Web Token. The attacker crafts a token signed with a symmetric algorithm (like HS256) but sets the header to indicate an asymmetric algorithm (like RS256). If the server blindly trusts the header, it will use the public key as the HMAC secret to verify the signature, which the attacker can compute since the public key is often known.
Glossary
JWT Confusion Attack

What is JWT Confusion Attack?
A JWT Confusion Attack is a cryptographic exploit where an adversary manipulates the algorithm header of a JSON Web Token to bypass signature verification, tricking a server into accepting a maliciously crafted token as legitimate.
This vulnerability arises from algorithm confusion between symmetric and asymmetric signing. The core defense is to enforce a strict allowlist of permitted algorithms on the server side, never trusting the client-supplied alg parameter. Libraries like PyJWT mitigate this by requiring explicit algorithm specification during decoding, preventing the server from being tricked into using the wrong verification method.
Key Characteristics of a JWT Confusion Attack
A JWT confusion attack exploits the alg header parameter to trick a verifier into interpreting a token's signature using an unintended algorithm, effectively bypassing integrity checks and enabling unauthorized token forgery.
Algorithm Substitution Mechanism
The core of the attack lies in manipulating the alg header claim. An attacker changes this value from an asymmetric algorithm like RS256 (RSA signature) to a symmetric one like HS256 (HMAC). The server, if misconfigured, then uses its own RSA public key as the HMAC secret to verify the signature. Since the attacker possesses the public key, they can forge a valid HMAC signature, creating a token the server trusts implicitly.
The 'none' Algorithm Bypass
A more direct variant involves setting the alg header to none. The JWT specification includes this option to represent an unsecured token. Vulnerable libraries that do not explicitly reject the none algorithm will skip signature verification entirely, accepting any arbitrary payload as valid. This is a configuration flaw, not a cryptographic break, and remains a common finding in penetration tests.
Key Confusion via JWK Injection
Attackers can embed a malicious JSON Web Key (JWK) directly in the token's jwk header parameter. If the server is configured to dynamically fetch keys from the token itself rather than a trusted key store, it will use the attacker-supplied public key to verify the signature. The attacker signs the token with the corresponding private key they control, achieving complete authentication bypass.
Cross-JWT Confusion (JWT-to-JWT)
This advanced attack targets systems with multiple distinct JWT verifiers. An attacker obtains a validly signed JWT from a low-security context (e.g., a logging service) and replays it against a high-security context (e.g., an admin API). If the high-security verifier trusts the same issuer and key but fails to validate the aud (audience) claim, it accepts the token, granting unauthorized privilege escalation.
Polyglot Token Exploitation
A sophisticated technique where a single token is crafted to be validly interpreted by two different parsers in conflicting ways. For example, a token might be parsed as a valid JWT by an API gateway but as a different structure by the backend service. This exploits parser differentials to bypass security controls at the boundary layer while delivering a malicious payload to the core application.
Frequently Asked Questions
Clear, technical answers to the most common questions about JWT algorithm confusion vulnerabilities, their exploitation, and mitigation strategies for identity architects.
A JWT confusion attack is a cryptographic exploit where an adversary forces a server to interpret a JSON Web Token using a different algorithm than the one intended by the issuer, effectively bypassing signature verification. The attack exploits a fundamental design flaw in the JWT standard: the alg header parameter, which declares the algorithm used to sign the token, is itself unsigned. An attacker can modify this header to none (indicating no signature), or switch from an asymmetric algorithm like RS256 to a symmetric one like HS256. In the latter case, the server's public RSA key is treated as an HMAC shared secret. Since the attacker often has access to the public key, they can forge a valid HMAC signature, and the server will accept the token as legitimate. This vulnerability arises when server-side JWT libraries rely solely on the alg header to select the verification method, rather than enforcing a pre-configured, fixed algorithm per key or endpoint.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding JWT confusion attacks requires familiarity with the broader ecosystem of token security, algorithm vulnerabilities, and identity assertion flaws that threaten autonomous agent communication.
Key Confusion vs. Algorithm Confusion
While often conflated, these represent distinct attack surfaces. Algorithm confusion targets the alg header to switch between asymmetric and symmetric schemes. Key confusion exploits cross-service key reuse where a token valid for one service is accepted by another due to shared secrets.
- Algorithm Confusion: RS256 → HS256 downgrade using the public key
- Key Confusion: Token issued by Service A accepted by Service B because both share the same HMAC secret
- Hybrid Attack: Combining both vectors by confusing the algorithm and redirecting the token to a different audience
- Mitigation: Enforce explicit
audclaim validation and per-service key isolation
JWK Header Injection
A related attack where an adversary embeds a malicious JSON Web Key (JWK) directly in the JWT header's jwk parameter. If the server naively trusts the embedded key for signature verification without cross-referencing against a trusted key store, the attacker can sign tokens with their own private key.
- Attack Flow: Attacker generates a key pair → embeds the public key in the
jwkheader → signs the token with the corresponding private key → server uses the embedded key for verification - Vulnerable Pattern:
jose.verify(token)without specifying an allowed key set - Defense: Always pass an explicit
jwksUrior key whitelist to the verification function; never trust header-embedded keys
None Algorithm Attack
A trivial bypass where the attacker sets the alg header to none, indicating an unsecured JWT. Vulnerable libraries that fail to reject the none algorithm will skip signature verification entirely, accepting any payload as valid.
- Exploit:
{ "alg": "none", "typ": "JWT" }with any arbitrary payload - Historical Impact: Affected numerous early JWT libraries including older versions of
jsonwebtoken(Node.js) andpyjwt(Python) - Modern Mitigation: Most libraries now explicitly reject
noneby default, but custom verification logic may still be vulnerable - Testing: Use
jwt_toolwith the-X nflag to test for none algorithm acceptance
Asymmetric Key Confusion (CVE-2016-5431)
A specific vulnerability in the PHP JOSE library where the HMAC verification function accepted asymmetric keys. When verifying HS256 tokens, the library used openssl_verify() instead of hash_hmac(), allowing an attacker to sign with a private key and have it verified as an HMAC signature.
- CVE-2016-5431: PHP JOSE library used RSA verification for HMAC-signed tokens
- Impact: Complete authentication bypass for any service using the affected library
- Lesson: Cryptographic API misuse is the most common source of JWT vulnerabilities
- Prevention: Use well-maintained libraries that strictly separate algorithm implementations
Token Replay and Audience Confusion
Beyond algorithm attacks, token replay and audience confusion represent operational threats. A JWT captured via MITM can be replayed if no nonce or expiration is enforced. Audience confusion occurs when a token issued for Service A is accepted by Service B due to missing aud claim validation.
- Replay Defense: Implement
jti(JWT ID) claims with server-side nonce tracking or short-lived tokens withexpclaims - Audience Validation: Always verify the
audclaim matches the expected service identifier - Cross-Service Risk: In microservice architectures, a compromised downstream service can leak tokens that are valid for upstream services
- Best Practice: Combine short expiration (
exp), unique identifiers (jti), and strict audience (aud) validation

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us