CVE-2026-28498

Authlib and Affected Versions Authlib versions prior to 1.6.9

Description Authlib, a Python library for building OAuth and OpenID Connect servers, contains a flaw in its OpenID Connect (OIDC) ID Token validation logic. The internal hash verification function ( verify hash) exhibits a fail-open behavior when it encounters an unsupported or unknown cryptographic algorithm. This allows an attacker to bypass integrity protections by supplying a forged ID Token with an unrecognized algorithm parameter. The library silently returns a successful validation result, violating cryptographic principles and OIDC specifications. This issue can lead to Token Substitution Attacks, potentially allowing attackers to use malicious Access Tokens or Authorization Codes. The vulnerability resides in the verify hash function within authlib/oidc/core/claims.py. The function create half hash returns None for unknown algorithms, and verify hash incorrectly interprets this as a successful verification.

Recommendations Update to Authlib version 1.6.9 or later to resolve this issue.