Authentication Bypass Vulnerability in Flask-HTTPAuth by Miguel Grinberg
CVE-2026-34531

6.5MEDIUM

Key Information:

Vendor

Miguelgrinberg

Status
Flask-httpauth
Vendor
CVE Published:
1 April 2026

What is CVE-2026-34531?

A vulnerability exists in Flask-HTTPAuth that allows an attacker to bypass token authentication under specific conditions. If a client requests access to a resource protected by token authentication without providing a valid token, the framework may erroneously pass an empty string to the application's token verification function. This flaw could lead to unintended access if any user in the database is associated with an empty token. This issue has been resolved in version 4.8.1, enhancing the overall security of the framework.

Affected Version(s)

Flask-HTTPAuth < 4.8.1

References

https://github.com/miguelgrinberg/Flask-HTTPAuth/security...
x_refsource_CONFIRM
https://github.com/miguelgrinberg/flask-httpauth/commit/b...
x_refsource_MISC
https://github.com/miguelgrinberg/Flask-HTTPAuth/releases...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.