JWK Header Injection Vulnerability in Authlib Python Library
CVE-2026-27962

9.1CRITICAL

Key Information:

Vendor

Authlib

Status
Authlib
Vendor
CVE Published:
16 March 2026

What is CVE-2026-27962?

The Authlib Python library, essential for building OAuth and OpenID Connect servers, has a significant vulnerability prior to version 1.6.9. This flaw allows an unauthenticated attacker to exploit the JWS implementation by injecting malicious JSON Web Key (JWK) headers. When the library's JWS deserialization methods are called with a 'key=None' argument, it erroneously trusts the embedded cryptographic key from the attacker-controlled JWT jwk header field. Consequently, an attacker could create a forged JWT token signed with their own private key, and if the public key is included in the header, the server would accept the token as valid. This exploit effectively circumvents authentication and authorization protocols, presenting a severe security threat. Users are urged to update to the patched version 1.6.9 to mitigate this risk.

Affected Version(s)

authlib < 1.6.9

References

https://github.com/authlib/authlib/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bf...
x_refsource_MISC
https://github.com/authlib/authlib/releases/tag/v1.6.9
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.