CVE-2026-27962
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk42th percentile - higher than 42% of all known CVEs
Summary
A vulnerability in the Authlib library (versions prior to 1.6.9) allows an attacker to inject a JWK key into the JWT header, enabling the forgery of arbitrary JWT tokens that pass signature verification. The attacker can sign a token with their own private key and embed the corresponding public key in the header, bypassing authentication and authorization entirely.
Risk Assessment
The organization is at risk of complete bypass of JWT-based authentication and authorization mechanisms, potentially leading to unauthorized access to protected resources and data.
Recommendation
Immediately update the Authlib library to version 1.6.9 or later, which contains a fix that prevents JWK header injection.
Original NVD description (English source)
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

