logo

Database

Insufficient data authenticity validation In authlib

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-279622. NVD-2026-279623. OSV-2026-279624. OSV-DEBIAN-2026-279625. GHSA-wvwj-cvrp-7pv56. GCVE-2026-279627. SECURITY-TRACKER-CVE-2026-27962

References

1. https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv52. https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae6813. https://github.com/authlib/authlib/releases/tag/v1.6.9

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.