Library Vulnerability in Authlib Python Library Affecting OAuth and OpenID Connect Implementation
CVE-2026-28498

8.2HIGH

Key Information:

Vendor

Authlib

Status
Authlib
Vendor
CVE Published:
16 March 2026

What is CVE-2026-28498?

The Authlib Python library, utilized for building OAuth and OpenID Connect servers, contains a library-level flaw concerning the validation of OpenID Connect ID Tokens prior to version 1.6.9. Specifically, the internal verification function for access token and authorization code hashes demonstrates a fail-open behavior when faced with unrecognized cryptographic algorithms. This flaw allows attackers to bypass essential integrity checks, enabling them to exploit the system by submitting forged ID Tokens with unsupported algorithm headers. Consequently, the library's response of validating these tokens as true undermines critical cryptographic principles and contravenes OIDC specifications. This vulnerability has been addressed in version 1.6.9.

Affected Version(s)

authlib < 1.6.9

References

https://github.com/authlib/authlib/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e0...
x_refsource_MISC
https://github.com/authlib/authlib/releases/tag/v1.6.9
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.