CVE-2026-28490

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption JWE RSA15 key management algorithm. Authlib registe...

CVE-2026-27962 Authlib JWS JWK Header Injection: Signature Verification Bypass

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

CVE-2026-27962 Authlib JWS JWK Header Injection: Signature Verification Bypass

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

CVE-2026-27962

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

CVE-2026-27962

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

CVE-2026-27962 Authlib JWS JWK Header Injection: Signature Verification Bypass

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

CVE-2026-27962

Authlib JWS JWK Header Injection (CVE-2026-27962) is detailed in GHSA-wvwj-cvrp-7pv5: when key=None is passed to JWS deserialization, or a key resolver returns None, the library silently uses the attacker-supplied header.jwk as the verification key, allowing forgeable tokens and bypass of authent...

GHSA-M344-F55W-2M6J Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding

Executive Summary A critical library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect OIDC ID Tokens. Specifically, the internal hash verification logic verifyhash responsible for validating the athash Access Token Hash and chash...

Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding

Executive Summary A critical library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect OIDC ID Tokens. Specifically, the internal hash verification logic verifyhash responsible for validating the athash Access Token Hash and chash...

EUVD-2026-12482

Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding...

EUVD-2026-12480

Authlib Vulnerable to JWE RSA15 Bleichenbacher Padding Oracle...

GHSA-7432-952R-CW78 Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle

Executive Summary A cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption JWE RSA15 key management algorithm. Authlib registers RSA15 in its default algorithm registry without requiring explicit opt-in,...

Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle

Executive Summary A cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption JWE RSA15 key management algorithm. Authlib registers RSA15 in its default algorithm registry without requiring explicit opt-in,...

EUVD-2026-12478

Authlib JWS JWK Header Injection: Signature Verification Bypass...

GHSA-WVWJ-CVRP-7PV5 Authlib JWS JWK Header Injection: Signature Verification Bypass

Description Summary A JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic...

Authlib JWS JWK Header Injection: Signature Verification Bypass

Description Summary A JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic...

Linux Distros Unpatched Vulnerability : CVE-2026-27962

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS...

Authlib 安全漏洞

Authlib is an open-source library developed by Authlib, designed as a ultimate Python library for building OAuth and OpenID Connect servers. Versions of Authlib prior to 1.6.9 contained security vulnerabilities. These vulnerabilities stemmed from the OpenID Connect ID token verification logic,...

Authlib 加密问题漏洞

Authlib is an open-source library developed by Authlib, designed as a ultimate Python library for building OAuth and OpenID Connect servers. Versions of Authlib prior to 1.6.9 contained a security vulnerability related to encryption. This vulnerability stemmed from a cryptographic padding mechani...

Linux Distros Unpatched Vulnerability : CVE-2026-28490

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified i...