95 matches found
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
JWCrypto: python-cryptography: python: JWCrypto: Memory exhaustion via crafted compressed JWE tokens
A flaw was found in JWCrypto, a Python library for JSON Web Key JWK, JSON Web Signature JWS, and JSON Web Encryption JWE specifications. An unauthenticated attacker can exploit this vulnerability by sending specially crafted JWE tokens that use ZIP compression. While the input token size is...
CVE-2026-45091 sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encode...
CVE-2026-45091
CVE-2026-45091 affects sealed-env in enterprise mode prior to 0.1.0-alpha.4. In versions 0.1.0-alpha.1 to alpha.3, the operator’s literal TOTP secret was embedded in the JWS payload of every minted unseal token. The JWS payload is base64-encoded JSON, not encrypted, allowing anyone who can observ...
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...
CLEANSTART-2026-FK30234 Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web To...
Multiple security vulnerabilities affect the tekton-pipelines-fips package. Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. See...
OESA-2026-1924 python-jwcrypto security update
Implements JWK, JWS, JWE specifications with python-cryptography Security Fixes: JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing...
OESA-2026-1923 python-jwcrypto security update
Implements JWK, JWS, JWE specifications with python-cryptography Security Fixes: JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing...
CLEANSTART-2026-TN07413 Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web To...
Multiple security vulnerabilities affect the terragrunt-fips package. Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. See references...
Security Bulletin: Signature Verification Bypass Vulnerability in auth0/node-jws (HS256, ≤ v3.2.2 & v4.0.0) affects watsonx.data
Summary A vulnerability in auth0/node-jws allows attackers to bypass signature verification when using the HS256 algorithm under certain conditions. The issue occurs when applications rely on user-controlled data for HMAC secret lookup during verification. This can affect watsonx.data...
PYSEC-2026-70
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate th...
EUVD-2026-19363
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption JWE object will panic if t...
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
Summary fast-jwt does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. ---...
OPENSUSE-SU-2026:20392-1 Security update for python-Authlib
This update for python-Authlib fixes the following issues: Changes in python-Authlib: - CVE-2026-27962: JWS deserializecompact allows for signature bypass by accepting user-controlled embedded JWK as verification key bsc1259738 - CVE-2026-28490: cryptographic padding oracle in JWE RSA15 key...
CVE-2026-27962
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...
UBUNTU-CVE-2026-27962
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...
CVE-2026-27962
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...
CVE-2026-27962 Authlib JWS JWK Header Injection: Signature Verification Bypass
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...
CVE-2026-27962
Authlib JWS JWK Header Injection (CVE-2026-27962) is detailed in GHSA-wvwj-cvrp-7pv5: when key=None is passed to JWS deserialization, or a key resolver returns None, the library silently uses the attacker-supplied header.jwk as the verification key, allowing forgeable tokens and bypass of authent...
EUVD-2026-12478
Authlib JWS JWK Header Injection: Signature Verification Bypass...