GHSA-P44Q-VQPR-4XMG

Vulnerability from github – Published: 2026-03-31 23:48 – Updated: 2026-04-06 17:13
VLAI?
Summary
Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client
Details

Summary

In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users.

Notes

  • This issue applies only to token authentication
  • This issue applies only when the application verifies tokens by searching for them in a user database.
  • This issue applies only if the application stores empty strings as user tokens when the user does not have an assigned token. It does not apply if the application sets those tokens to NULL instead.
  • Tokens that are verified through cryptographic means (such as JWTs) are not affected by this issue.
  • Basic and Digest authentication are not affected by this issue.

Remediation

To protect against this issue, developers should make sure that no user in the user database has their token set to an empty string. If there are such users, change the value of those tokens to NULL instead.

Alternatively, developers can upgrade their projects to Flask-HTTPAuth>=4.8.1, which fixes this issue.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.8.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "Flask-HTTPAuth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34531"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:48:02Z",
    "nvd_published_at": "2026-04-01T21:17:01Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nIn a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application\u0027s token verification callback function with the `token` argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users.\n\n## Notes\n\n- This issue applies only to token authentication\n- This issue applies only when the application verifies tokens by searching for them in a user database.\n- This issue applies only if the application stores empty strings as user tokens when the user does not have an assigned token. It does not apply if the application sets those tokens to `NULL` instead.\n- Tokens that are verified through cryptographic means (such as JWTs) are not affected by this issue.\n- Basic and Digest authentication are not affected by this issue.\n\n## Remediation\n\nTo protect against this issue, developers should make sure that no user in the user database has their `token` set to an empty string. If there are such users, change the value of those tokens to `NULL` instead.\n\nAlternatively, developers can upgrade their projects to `Flask-HTTPAuth\u003e=4.8.1`, which fixes this issue.",
  "id": "GHSA-p44q-vqpr-4xmg",
  "modified": "2026-04-06T17:13:44Z",
  "published": "2026-03-31T23:48:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34531"
    },
    {
      "type": "WEB",
      "url": "https://github.com/miguelgrinberg/flask-httpauth/commit/b15ffe9e50e110d7174ccd944f642079e1dcf9ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/miguelgrinberg/Flask-HTTPAuth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/miguelgrinberg/Flask-HTTPAuth/releases/tag/v4.8.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.