PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28498 authlib CVE debrief

The Authlib Python library, used for building OAuth and OpenID Connect servers, was found vulnerable to a library-level issue (CVE-2026-28498) concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims was identified to exhibit a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.

Vendor
authlib
Product
Unknown
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-16
Original CVE updated
2026-06-30
Advisory published
2026-03-16
Advisory updated
2026-06-30

Who should care

Developers and administrators using the Authlib Python library for OAuth and OpenID Connect server implementations should be aware of this vulnerability. Given the high severity of the issue (CVSS Score: 8.2), immediate attention is required to ensure the integrity of ID Token validation in their systems. Updating to version 1.6.9 or later is strongly recommended.

Technical summary

CVE-2026-28498 is a high-severity vulnerability in the Authlib Python library. It affects the library's handling of OpenID Connect ID Tokens, specifically in the validation of at_hash and c_hash claims. The vulnerability arises from a fail-open behavior in the hash verification logic when encountering unsupported cryptographic algorithms. This allows attackers to bypass integrity protections by providing forged ID Tokens with unrecognized alg header parameters. The issue violates cryptographic design principles and OIDC specifications. A patch is available in Authlib version 1.6.9.

Defensive priority

High. Immediate patching to version 1.6.9 or later is recommended to prevent potential bypass of ID Token integrity protections.

Recommended defensive actions

  • Update Authlib to version 1.6.9 or later
  • Review and update affected systems and dependencies
  • Monitor for potential exploitation attempts
  • Implement additional security measures for ID Token validation
  • Conduct thorough inventory checks for vulnerable library usage

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability. The source item URL from NVD offers additional context and references. Vendor references include patches and advisories from Authlib and Red Hat.

Official resources

This article is AI-assisted and based on the supplied source corpus.