PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28802 authlib CVE debrief

CVE-2026-28802 is a high-severity vulnerability in the Authlib Python library, which builds OAuth and OpenID Connect servers. The issue allows for signature skipping in certain scenarios, potentially leading to security bypass. The vulnerability affects versions from 1.6.5 to before 1.6.7. A patch is available in version 1.6.7. The CVSS score for this vulnerability is 7.7, indicating a high severity level.

Vendor
authlib
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-06
Original CVE updated
2026-06-30
Advisory published
2026-03-06
Advisory updated
2026-06-30

Who should care

Developers and administrators using Authlib for OAuth and OpenID Connect server implementation should be aware of this vulnerability. Affected versions are from 1.6.5 to before 1.6.7. Users of Red Hat products may also be impacted, as indicated by multiple Red Hat errata references.

Technical summary

The Authlib library, used for building OAuth and OpenID Connect servers in Python, had a vulnerability where tests involving a malicious JWT with 'alg: none' and an empty signature were passing the signature verification step without expected failures. This issue existed from version 1.6.5 to before 1.6.7. The vulnerability's CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The weakness is classified as CWE-347.

Defensive priority

This vulnerability has a high CVSS score of 7.7, indicating a high severity level. Immediate attention is recommended for developers and administrators using affected versions of Authlib.

Recommended defensive actions

  • Upgrade Authlib to version 1.6.7 or later to patch the vulnerability.
  • Review and update affected Red Hat products according to the provided errata references.
  • Implement additional security measures for OAuth and OpenID Connect server configurations.
  • Monitor for potential exploitation attempts using security monitoring tools.
  • Verify the authenticity of JWTs before processing them.

Evidence notes

The vulnerability was patched in Authlib version 1.6.7. Multiple references from Red Hat indicate potential impact on their products. The CVE record and NVD detail provide comprehensive information about the vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.