anonhaven
Ad

CVE-2026-28802

HIGH CVSS 4.0: 7.7 EPSS 0.03%
Updated Mar 06, 2026
Python
Parameter Value
CVSS 7.7 (HIGH)
Affected Versions before 1.6.7
Fixed In 1.6.7
Type CWE-347 (Improper Verification of Cryptographic Signature (Некорректная проверка подписи))
Vendor Python
Public PoC No

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Attack Requirements
None
Нет дополнительных условий
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
None
Нет утечки данных
Integrity
High
Полная модификация данных
Availability
None
Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-347 Improper Verification of Cryptographic Signature (Некорректная проверка подписи)

References 3

https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0…
security-advisories@github.com
https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761…
security-advisories@github.com
https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-28804

Python

6.9

CVE-2025-69534

Python

None

CVE-2026-27932

Python

7.5

CVE-2026-27905

Python

8.6

CVE-2026-28416

Python

8.2