Vulnerability in joserfc Library's JWT Decoding Process for Python
CVE-2026-49852

8.7HIGH

Key Information:

Vendor

Authlib

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-49852?

The joserfc library, used for implementing JSON Object Signing and Encryption standards, contains a vulnerability in its JWT decoding mechanism. Prior to version 1.6.8, the library's decode function incorrectly handled HMAC-signed tokens when an empty or None verification key was provided. This mismanagement could allow attackers to forge tokens by bypassing authentication checks. Despite the issuance of a SecurityWarning regarding short keys, the library did not adequately reject zero-length inputs, leading to potential unauthorized access.

Affected Version(s)

joserfc < 1.6.8

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.