CVE-2026-28802

CRITICAL

Authlib 1.6.5-1.6.6 - Improper Verification of Cryptographic Signature

Title source: llm

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg

Patch x_refsource_misc

https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0034

EPSS Percentile 25.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-347

Status published

Products (2)

authlib/authlib 1.6.5 - 1.6.7

pypi/authlib 1.6.5 - 1.6.7PyPI

Published Mar 06, 2026

Tracked Since Mar 06, 2026