PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49852 authlib CVE debrief

The joserfc library, used for JSON Object Signing and Encryption (JOSE) standards, had a vulnerability prior to version 1.6.8. Specifically, joserfc.jwt.decode would accept HMAC-signed tokens even when the verification key provided by the caller was an empty string or None. This occurred because HMACAlgorithm.sign and HMACAlgorithm.verify passed the output of OctKey.get_op_key(...) to hmac.new(...), and OctKey.import_key only issued a SecurityWarning for keys shorter than 14 bytes without rejecting zero-length input. This issue allowed for the acceptance of attacker-forged HMAC-signed tokens. The CVE record was published on 2026-07-17T20:17:23.270Z and has not been modified since then. Users of the joserfc Python library should verify their usage and update to version 1.6.8 or later to address this vulnerability.

Vendor
authlib
Product
joserfc
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of the joserfc Python library, specifically those who utilize the library for JSON Object Signing and Encryption (JOSE) standards, should verify their usage and update to version 1.6.8 or later to address this vulnerability. This includes developers, security teams, and operators who rely on the library for secure token validation.

Technical summary

The joserfc library, used for JSON Object Signing and Encryption (JOSE) standards, had a vulnerability prior to version 1.6.8. Specifically, joserfc.jwt.decode would accept HMAC-signed tokens even when the verification key provided by the caller was an empty string or None. This occurred because HMACAlgorithm.sign and HMACAlgorithm.verify passed the output of OctKey.get_op_key(...) to hmac.new(...), and OctKey.import_key only issued a SecurityWarning for keys shorter than 14 bytes without rejecting zero-length input. This issue allowed for the acceptance of attacker-forged HMAC-signed tokens.

Defensive priority

High priority due to the high CVSS score of 8.7 and the potential for attackers to forge HMAC-signed tokens.

Recommended defensive actions

  • Update joserfc to version 1.6.8 or later
  • Verify and validate all HMAC-signed tokens with a proper verification key
  • Implement additional security measures to detect and prevent potential attacks
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and its fix. The source item URL and references offer additional context and resources for further investigation. Users should verify their usage of the joserfc library and update to version 1.6.8 or later. It is essential to validate all HMAC-signed tokens with a proper verification key and implement additional security measures to detect and prevent potential attacks. The vulnerability allows for the acceptance of attacker-forged HMAC-signed tokens due to the handling of empty or None verification keys.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:23.270Z and has not been modified since then.