PatchSiren cyber security CVE debrief
CVE-2026-28802 authlib CVE debrief
CVE-2026-28802 is a high-severity vulnerability in the Authlib Python library, which builds OAuth and OpenID Connect servers. The issue allows for signature skipping in certain scenarios, potentially leading to security bypass. The vulnerability affects versions from 1.6.5 to before 1.6.7. A patch is available in version 1.6.7. The CVSS score for this vulnerability is 7.7, indicating a high severity level.
- Vendor
- authlib
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-06
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-06
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Authlib for OAuth and OpenID Connect server implementation should be aware of this vulnerability. Affected versions are from 1.6.5 to before 1.6.7. Users of Red Hat products may also be impacted, as indicated by multiple Red Hat errata references.
Technical summary
The Authlib library, used for building OAuth and OpenID Connect servers in Python, had a vulnerability where tests involving a malicious JWT with 'alg: none' and an empty signature were passing the signature verification step without expected failures. This issue existed from version 1.6.5 to before 1.6.7. The vulnerability's CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The weakness is classified as CWE-347.
Defensive priority
This vulnerability has a high CVSS score of 7.7, indicating a high severity level. Immediate attention is recommended for developers and administrators using affected versions of Authlib.
Recommended defensive actions
- Upgrade Authlib to version 1.6.7 or later to patch the vulnerability.
- Review and update affected Red Hat products according to the provided errata references.
- Implement additional security measures for OAuth and OpenID Connect server configurations.
- Monitor for potential exploitation attempts using security monitoring tools.
- Verify the authenticity of JWTs before processing them.
Evidence notes
The vulnerability was patched in Authlib version 1.6.7. Multiple references from Red Hat indicate potential impact on their products. The CVE record and NVD detail provide comprehensive information about the vulnerability.
Official resources
-
CVE-2026-28802 CVE record
CVE.org
-
CVE-2026-28802 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.