Security Flaw in Authlib Library for OAuth and OpenID Connect Servers
CVE-2026-28802

7.7HIGH

Key Information:

Vendor

Authlib

Status
Authlib
Vendor
CVE Published:
6 March 2026

What is CVE-2026-28802?

A flaw exists in the Authlib library for building OAuth and OpenID Connect servers which can allow attackers to pass a malicious JSON Web Token (JWT) that contains an 'alg' value set to 'none' and an empty signature. Versions from 1.6.5 to before 1.6.7 improperly validate this JWT, leading to the signature verification step allowing such tokens without raising an error, thereby failing to protect the application adequately. The issue has been resolved in version 1.6.7 through improved validation mechanisms.

Affected Version(s)

authlib >= 1.6.5, < 1.6.7

References

https://github.com/authlib/authlib/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/a61c2acb807496e...
x_refsource_MISC
https://github.com/authlib/authlib/commit/b87c32ed07b8ae7...
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.