CVE-2026-28802 Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application co...

CVE-2026-28802 Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application co...

CVE-2026-28802

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application co...

Authlib 数据伪造问题漏洞

Authlib is an open-source library developed by Authlib developers, designed as a ultimate Python library for building OAuth and OpenID Connect servers. Versions of Authlib from 1.6.5 to 1.6.7 had a data manipulation vulnerability. This vulnerability occurred when malicious JWTs containing alg: no...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-Authlib (SUSE-SU-2026:0828-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:0828-1 advisory. - CVE-2025-68158: Fixed 1-click account takeover in applications that use the Authlib library bsc1256414...

CVE-2026-28802

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application co...

Security update for python-Authlib

This update for python-Authlib fixes the following issues: CVE-2025-68158: Fixed 1-click account takeover in applications that use the Authlib library bsc1256414 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

SUSE-SU-2026:0828-1 Security update for python-Authlib

This update for python-Authlib fixes the following issues: - CVE-2025-68158: Fixed 1-click account takeover in applications that use the Authlib library bsc1256414...

agentstack-cli (>=0.5.0 <=0.6.2rc6), aieng-platform-onboard (>=0.5.0 <=0.6.1) +35 more potentially affected by CVE-2026-28802 via authlib (>=1.6.5 <=1.6.6)

authlib PYPI version =1.6.5, =0.5.0, =0.5.0, =0.21.0, =0.44.0, =1.7.0, =0.8.0, =1.0.20, =0.12.0, =1.0.3, =0.2.0, =0.1.3, =1.0.0, =1.115.2, =0.2.20, =1.0.0, =1.1.2 and more Source cves: CVE-2026-28802 Source advisory: OSV:GHSA-7WC2-QXGW-G8GG...

Improper Verification of Cryptographic Signature

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in jwt.decode, which accepts alg: none. An attacker can gain unauthorized access, escalate privileges, or modify...

GHSA-7WC2-QXGW-G8GG Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Summary After upgrading the library from 1.5.2 to 1.6.0 and the latest 1.6.5 it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was...

agentstack-cli (>=0.4.0 <=0.6.2rc6), aieng-platform-onboard (>=0.5.0 <=0.6.1) +89 more potentially affected by CVE-2026-28802 via authlib (>=1.6.0 <=1.6.6)

authlib PYPI version =1.6.0, =0.4.0, =0.5.0, =0.9.5, =0.19.0, =0.38.0, =0.1.0, =0.1.0, =0.1.0, =1.7.0, =0.1.1rc22, =0.1.0, =0.7.0, =0.2.19, =0.5.24 and more Source cves: CVE-2026-28802 Source advisory: SNYK:PYTHON-AUTHLIB-15425813...

Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Summary After upgrading the library from 1.5.2 to 1.6.0 and the latest 1.6.5 it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was...

joserfc 安全漏洞

Joserfc is a Python library developed by Authlib. Joserfc versions 1.6.2 and earlier have security vulnerabilities. These vulnerabilities stem from the lack of verification or restrictions on the p2c parameter value in the JWE token. This allows unverified attackers to cause denial-of-service...

Ubuntu: Security Advisory (USN-8065-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 22.04 LTS / 24.04 LTS : Authlib vulnerabilities (USN-8065-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8065-1 advisory. Millie Solem discovered that Authlib did not properly restrict algorithm selection during JWT verification, allowing HMAC verification with...

openSUSE 16 Security Update : python-Authlib (openSUSE-SU-2026:20257-1)

The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20257-1 advisory. Changes in python-Authlib: - CVE-2025-68158: Fixed 1-click account takeover in applications that use the Authlib library bsc1256414 Tenable has extracte...

OPENSUSE-SU-2026:20257-1 Security update for python-Authlib

This update for python-Authlib fixes the following issues: Changes in python-Authlib: - CVE-2025-68158: Fixed 1-click account takeover in applications that use the Authlib library bsc1256414...

Security Bulletin: Authlib JOSE Denial of Service via Unbounded JWS or JWT Header and Signature Parsing, affects watsonx.data

Summary Authlib versions before 1.6.5 are vulnerable to a denial-of-service attack where oversized JWS/JWT headers or signatures consume excessive CPU and memory during parsing. The issue is fixed in 1.6.5, temporary mitigations include enforcing token size limits and request throttling. This can...

ROS-20260122-73-0007

Vulnerability in python-authlib related to insufficient input validation. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...