Insufficiently Protected Credentials
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Storing a user’s password inside a JWT token exposes it in plaintext, as JWT payloads are not encrypted and can be easily read by anyone with access to the token. Passwords should never be included in JWTs.
Impact#
If exploited, attackers who obtain a JWT can directly access user passwords, leading to account compromise, credential reuse attacks, and potential data breaches. This exposes both users and the organization to serious security and privacy risks.