Improper Verification of Cryptographic Signature

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in jwt.decode, which accepts alg: none. An attacker can gain unauthorized access, escalate privileges, or modify...

agentstack-cli (>=0.5.0 <=0.6.2rc6), aieng-platform-onboard (>=0.5.0 <=0.6.1) +35 more potentially affected by CVE-2026-28802 via authlib (>=1.6.5 <=1.6.6)

authlib PYPI version =1.6.5, =0.5.0, =0.5.0, =0.21.0, =0.44.0, =1.7.0, =0.8.0, =1.0.20, =0.12.0, =1.0.3, =0.2.0, =0.1.3, =1.0.0, =1.115.2, =0.2.20, =1.0.0, =1.1.2 and more Source cves: CVE-2026-28802 Source advisory: OSV:GHSA-7WC2-QXGW-G8GG...

GHSA-7WC2-QXGW-G8GG Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Summary After upgrading the library from 1.5.2 to 1.6.0 and the latest 1.6.5 it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was...

agentstack-cli (>=0.4.0 <=0.6.2rc6), aieng-platform-onboard (>=0.5.0 <=0.6.1) +87 more potentially affected by CVE-2026-28802 via authlib (>=1.6.0 <=1.6.6)

authlib PYPI version =1.6.0, =0.4.0, =0.5.0, =0.9.5, =0.19.0, =0.38.0, =0.1.0, =0.1.0, =0.1.0, =1.7.0, =0.1.1rc22, =0.1.0, =0.7.0, =0.2.19, =0.3.4, =0.3.7 and more Source cves: CVE-2026-28802 Source advisory: SNYK:PYTHON-AUTHLIB-15425813...

Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Summary After upgrading the library from 1.5.2 to 1.6.0 and the latest 1.6.5 it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was...

joserfc 安全漏洞

Joserfc is a Python library developed by Authlib. Joserfc versions 1.6.2 and earlier have security vulnerabilities. These vulnerabilities stem from the lack of verification or restrictions on the p2c parameter value in the JWE token. This allows unverified attackers to cause denial-of-service...

Ubuntu: Security Advisory (USN-8065-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 22.04 LTS / 24.04 LTS : Authlib vulnerabilities (USN-8065-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8065-1 advisory. Millie Solem discovered that Authlib did not properly restrict algorithm selection during JWT verification, allowing HMAC verification with...

openSUSE 16 Security Update : python-Authlib (openSUSE-SU-2026:20257-1)

The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20257-1 advisory. Changes in python-Authlib: - CVE-2025-68158: Fixed 1-click account takeover in applications that use the Authlib library bsc1256414 Tenable has extracte...

OPENSUSE-SU-2026:20257-1 Security update for python-Authlib

This update for python-Authlib fixes the following issues: Changes in python-Authlib: - CVE-2025-68158: Fixed 1-click account takeover in applications that use the Authlib library bsc1256414...

Security Bulletin: Authlib JOSE Denial of Service via Unbounded JWS or JWT Header and Signature Parsing, affects watsonx.data

Summary Authlib versions before 1.6.5 are vulnerable to a denial-of-service attack where oversized JWS/JWT headers or signatures consume excessive CPU and memory during parsing. The issue is fixed in 1.6.5, temporary mitigations include enforcing token size limits and request throttling. This can...

ROS-20260122-73-0007

Vulnerability in python-authlib related to insufficient input validation. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

OPENSUSE-SU-2026:10034-1 python311-Authlib-1.6.6-1.1 on GA media

These are all security issues fixed in the python311-Authlib-1.6.6-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2021-28374

The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. This may include a cleartext password in some configurations. In general, it includes the user's...

SUSE CVE-2025-68158

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state easily obtainable via an attacker-initiated...

aad-fastapi-dl37 (>=1.0.0 <=1.0.2), agentiq (>=1.2.0a20250730 <=1.2.0rc4) +210 more potentially affected by CVE-2025-68158 via authlib (>=1.0.0 <=1.6.5)

authlib PYPI version =1.0.0, =1.0.0, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2025-68158 Source advisory:...

GHSA-FG6F-75JQ-6523 Authlib has 1-click Account Takeover vulnerability

Security Advisory: Cache-Backed State Storage CSRF in Authlib The Security Labs team at Snyk has reported a security issue affecting Authlib, identified during a recent research project. The Snyk Security Labs team has identified a vulnerability that can result in a one-click account takeover in...

Cross-site Request Forgery (CSRF)

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to the improper validation of the request.scope in the validateauthorizationrequest function which leads to cache-backed...

aad-fastapi-dl37 (>=1.0.0 <=1.0.2), agentiq (>=1.2.0a20250730 <=1.2.0rc4) +210 more potentially affected by CVE-2025-68158 via authlib (>=1.0.0 <=1.6.5)

authlib PYPI version =1.0.0, =1.0.0, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2025-68158 Source advisory:...

Authlib has 1-click Account Takeover vulnerability

Security Advisory: Cache-Backed State Storage CSRF in Authlib The Security Labs team at Snyk has reported a security issue affecting Authlib, identified during a recent research project. The Snyk Security Labs team has identified a vulnerability that can result in a one-click account takeover in...