CVE-2026-28802 Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application co...

GHSA-7WC2-QXGW-G8GG Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Summary After upgrading the library from 1.5.2 to 1.6.0 and the latest 1.6.5 it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was...

Parse Server 数据伪造问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 8.6.3 and 9.1.1-alpha.4 contained a data manipulation vulnerability. This vulnerability stemmed from an unverified attacker being...

CVE-2025-61152

python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims e.g., isadmin=true and bypass authentication checks, leading to privilege escalation or unauthoriz...

DEBIAN-CVE-2025-61152

python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims e.g., isadmin=true and bypass authentication checks, leading to privilege escalation or unauthoriz...

PT-2025-41563

Name of the Vulnerable Software and Affected Versions python-jose versions through 3.3.0 Description The software accepts JWT tokens with 'alg=none' without cryptographic signature verification. This allows a malicious actor to create forged tokens with arbitrary claims, potentially bypassing...

CVE-2020-15957

An issue was discovered in DP3T-Backend-SDK before 1.1.1 for Decentralised Privacy-Preserving Proximity Tracing DP3T. When it is configured to check JWT before uploading/publishing keys, it is possible to skip the signature check by providing a JWT token with alg=none...

CVE-2020-15957

CVE-2020-15957 affects DP3T-Backend-SDK before 1.1.1. When configured to check JWTs before uploading/publishing keys, an attacker can bypass the signature check by supplying a JWT with alg=none, enabling potential unauthorized key publishing or forgery. The connected documents confirm the same de...

CVE-2019-19324

Xmidt cjwt through 1.0.1 before 2019-11-25 maps unsupported algorithms to alg=none, which sometimes leads to untrusted accidental JWT acceptance...

CVE-2019-19324

Xmidt cjwt (C library) before 2019-11-25 and version 1.0.1 and earlier maps unsupported JWT algorithms to alg=none, which can lead to untrusted accidental JWT acceptance. Affected component: Xmidt cjwt; root cause: permissive/incorrect handling of algorithm values; impact: potential for accepting...

JWT Tool - A Toolkit For Testing, Tweaking And Cracking JSON Web Tokens

jwttool.py is a toolkit for validating, forging and cracking JWTs JSON Web Tokens. Its functionality includes: Checking the validity of a token Testing for the RS/HS256 public key mismatch vulnerability Testing for the alg=None signature-bypass vulnerability Testing the validity of a secret/key/k...