anonhaven
Ad

CVE-2026-28802

HIGH CVSS 4.0: 7.7 EPSS 0.02%
Updated Mar 06, 2026
Python
Parameter Value
CVSS 7.7 (HIGH)
Affected Versions before 1.6.7
Fixed In 1.6.7
Type CWE-347 (Improper Verification of Cryptographic Signature)
Vendor Python
Public PoC No

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-347 Improper Verification of Cryptographic Signature

References 3

https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0…
security-advisories@github.com
https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761…
security-advisories@github.com
https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-40260

Python

6.9

CVE-2026-40947

Python

2.9

CVE-2026-40192

Python

8.7

CVE-2026-40683

Python

7.7

CVE-2026-5713

Python

5.3