Fluid Attacks Database

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	authlib	>=1.6.5 <1.6.7	1.6.7
debian 13	python-authlib	=1.6.0-1 \|\| =1.6.0-1+deb13u1 \|\| =1.6.1-1 \|\| =1.6.3-1 \|\| =1.6.4-1 \|\| =1.6.5-1 \|\| =1.6.6-1 \|\| =1.6.7-1 \|\| =1.6.8-1 \|\| =1.6.9-1 \|\| =1.7.0-1	-
debian 14	python-authlib	=1.6.0-1 \|\| =1.6.1-1 \|\| =1.6.3-1 \|\| =1.6.4-1 \|\| =1.6.5-1 \|\| =1.6.6-1 \|\| >=0 <1.6.7-1	1.6.7-1

Aliases

1. CVE-2026-288022. NVD-2026-288023. OSV-2026-288024. OSV-DEBIAN-2026-288025. GHSA-7wc2-qxgw-g8gg6. GCVE-2026-288027. SECURITY-TRACKER-CVE-2026-28802

References

1. https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg2. https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a753. https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.