PatchSiren cyber security CVE debrief
CVE-2026-28498 authlib CVE debrief
The Authlib Python library, used for building OAuth and OpenID Connect servers, was found vulnerable to a library-level issue (CVE-2026-28498) concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims was identified to exhibit a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.
- Vendor
- authlib
- Product
- Unknown
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-16
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-16
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using the Authlib Python library for OAuth and OpenID Connect server implementations should be aware of this vulnerability. Given the high severity of the issue (CVSS Score: 8.2), immediate attention is required to ensure the integrity of ID Token validation in their systems. Updating to version 1.6.9 or later is strongly recommended.
Technical summary
CVE-2026-28498 is a high-severity vulnerability in the Authlib Python library. It affects the library's handling of OpenID Connect ID Tokens, specifically in the validation of at_hash and c_hash claims. The vulnerability arises from a fail-open behavior in the hash verification logic when encountering unsupported cryptographic algorithms. This allows attackers to bypass integrity protections by providing forged ID Tokens with unrecognized alg header parameters. The issue violates cryptographic design principles and OIDC specifications. A patch is available in Authlib version 1.6.9.
Defensive priority
High. Immediate patching to version 1.6.9 or later is recommended to prevent potential bypass of ID Token integrity protections.
Recommended defensive actions
- Update Authlib to version 1.6.9 or later
- Review and update affected systems and dependencies
- Monitor for potential exploitation attempts
- Implement additional security measures for ID Token validation
- Conduct thorough inventory checks for vulnerable library usage
Evidence notes
The CVE record and NVD detail provide comprehensive information about the vulnerability. The source item URL from NVD offers additional context and references. Vendor references include patches and advisories from Authlib and Red Hat.
Official resources
-
CVE-2026-28498 CVE record
CVE.org
-
CVE-2026-28498 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.