ClusterConcept
JWT Misuse With Static Tokens
cluster-32
Bearer JWTs get misconstructed or misvalidated (wrong middleware responsibility, shared session state, or embedded static secrets), so tokens can be accepted when they shouldn’t be or replayed elsewhere, enabling cross-app request forgery and endpoint enumeration after password changes.