Vulnerability in joserfc Library's JWT Decoding Process for Python
CVE-2026-49852
8.7HIGH
What is CVE-2026-49852?
The joserfc library, used for implementing JSON Object Signing and Encryption standards, contains a vulnerability in its JWT decoding mechanism. Prior to version 1.6.8, the library's decode function incorrectly handled HMAC-signed tokens when an empty or None verification key was provided. This mismanagement could allow attackers to forge tokens by bypassing authentication checks. Despite the issuance of a SecurityWarning regarding short keys, the library did not adequately reject zero-length inputs, leading to potential unauthorized access.
Affected Version(s)
joserfc < 1.6.8
