CVE-2026-28802

Name of the Vulnerable Software and Affected Versions Authlib versions 1.6.5 through 1.6.7

Description Authlib, a Python library for building OAuth and OpenID Connect servers, had a flaw in signature verification. Specifically, tests involving a malicious JWT with 'alg: none' and an empty signature were incorrectly passing verification without any code changes when a failure was expected. This issue was introduced in a commit that altered signature verification logic. Exploitation of this issue could allow attackers to bypass authentication, escalate privileges, gain unauthorized access, or modify application data by submitting forged JWTs. The issue was addressed in version 1.6.7.

Recommendations Authlib versions 1.6.5 through 1.6.7 should be updated to version 1.6.7 or later.