CVE Catalog

CVE-2026-28802

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile - higher than 34% of all known CVEs

Summary

Authlib library versions 1.6.5 to 1.6.6 incorrectly validate JWT tokens with 'alg: none' and an empty signature, passing them despite an expected failure. The vulnerability is fixed in version 1.6.7.

Risk Assessment

An attacker can exploit this vulnerability to impersonate any user or gain unauthorized access to resources protected by OAuth/OpenID Connect.

Recommendation

Immediately update the Authlib library to version 1.6.7 or later.

Original NVD description (English source)

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS