Cryptographic Padding Oracle Vulnerability in Authlib Python Library
CVE-2026-28490

8.3HIGH

Key Information:

Vendor

Authlib

Status
Authlib
Vendor
CVE Published:
16 March 2026

What is CVE-2026-28490?

A cryptographic padding oracle vulnerability exists in the Authlib Python library before version 1.6.9 due to the insecure implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. This allows for the potential exploitation of the cryptographic operations, as Authlib mistakenly registers the RSA1_5 algorithm in its default algorithm registry without a necessary explicit opt-in from users. Moreover, it actively undermines the constant-time mitigation provided by the underlying cryptography library, leading to significant security risks. Users are encouraged to update to version 1.6.9 or later to ensure protection against such vulnerabilities.

Affected Version(s)

authlib < 1.6.9

References

https://github.com/authlib/authlib/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/48b345f29f6c459...
x_refsource_MISC
https://github.com/authlib/authlib/releases/tag/v1.6.9
x_refsource_MISC

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.