CVE-2026-27962

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.9

Description Authlib is a Python library used for building OAuth and OpenID Connect servers. A JWK Header Injection flaw exists in the library's JWS implementation, allowing an unauthenticated attacker to forge arbitrary JWT tokens that bypass signature verification. This occurs when key=None is passed to any JWS deserialization function, causing the library to extract and utilize a cryptographic key embedded within the attacker-controlled JWT's jwk header field. An attacker can sign a token with their own private key, embed the corresponding public key in the header, and have the server accept the forged token as valid, effectively circumventing authentication and authorization. This behavior violates RFC 7515 sections 4.1.3 and 5.2, which specify that the jwk header parameter is not recommended and the verification key must originate from the application context, not the token itself. The issue arises from a fallback mechanism within the library that silently trusts the attacker's embedded key when a key resolver callable returns None for unknown or rotated kid values, a common pattern in JWKS-based key lookup scenarios. This allows an attacker to impersonate any user or assume any privilege encoded in JWT claims without legitimate credentials.

Recommendations Update Authlib to version 1.6.9 or later.