CVE Catalog

CVE-2026-27962

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.55%

42th percentile - higher than 42% of all known CVEs

Summary

A vulnerability in the Authlib library (versions prior to 1.6.9) allows an attacker to inject a JWK key into the JWT header, enabling the forgery of arbitrary JWT tokens that pass signature verification. The attacker can sign a token with their own private key and embed the corresponding public key in the header, bypassing authentication and authorization entirely.

Risk Assessment

The organization is at risk of complete bypass of JWT-based authentication and authorization mechanisms, potentially leading to unauthorized access to protected resources and data.

Recommendation

Immediately update the Authlib library to version 1.6.9 or later, which contains a fix that prevents JWK header injection.

Original NVD description (English source)

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS