FKIE_CVE-2026-27962

Vulnerability from fkie_nvd - Published: 2026-03-16 18:16 - Updated: 2026-03-17 20:46
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.
References
security-advisories@github.comhttps://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681Patch
security-advisories@github.comhttps://github.com/authlib/authlib/releases/tag/v1.6.9Product, Release Notes
security-advisories@github.comhttps://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5Exploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
authlib authlib *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C677FEC-2094-49D8-ABAB-F740B6F83D38",
              "versionEndExcluding": "1.6.9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib\u0027s JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid \u2014 bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9."
    },
    {
      "lang": "es",
      "value": "Authlib es una biblioteca de Python que construye servidores OAuth y OpenID Connect. Antes de la versi\u00f3n 1.6.9, una vulnerabilidad de inyecci\u00f3n de encabezado JWK en la implementaci\u00f3n JWS de authlib permite a un atacante no autenticado falsificar tokens JWT arbitrarios que pasan la verificaci\u00f3n de firma. Cuando se pasa key=None a cualquier funci\u00f3n de deserializaci\u00f3n JWS, la biblioteca extrae y utiliza la clave criptogr\u00e1fica incrustada en el campo de encabezado jwk del JWT controlado por el atacante. Un atacante puede firmar un token con su propia clave privada, incrustar la clave p\u00fablica correspondiente en el encabezado y hacer que el servidor acepte el token falsificado como criptogr\u00e1ficamente v\u00e1lido \u2014 eludiendo la autenticaci\u00f3n y la autorizaci\u00f3n por completo. Este problema ha sido parcheado en la versi\u00f3n 1.6.9."
    }
  ],
  "id": "CVE-2026-27962",
  "lastModified": "2026-03-17T20:46:48.053",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-16T18:16:07.383",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/authlib/authlib/releases/tag/v1.6.9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.