3 matches found
CVE-2026-55954 Missing ID token claim validation in ueberauth_apple allows account takeover
Authentication Bypass by Spoofing vulnerability in ueberauth ueberauthapple allows account takeover via unvalidated ID token claims. The Ueberauth.Strategy.Apple.Token.payload/2 function verifies the JWT signature of the callback idtoken against Apple's JWKS but does not validate any registered...
Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding
Executive Summary A critical library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect OIDC ID Tokens. Specifically, the internal hash verification logic verifyhash responsible for validating the athash Access Token Hash and chash...
PT-2026-25790
Authlib and Affected Versions Authlib versions prior to 1.6.9 Description Authlib, a Python library for building OAuth and OpenID Connect servers, contains a flaw in its OpenID Connect OIDC ID Token validation logic. The internal hash verification function verify hash exhibits a fail-open behavio...