CVE-2026-34531

Name of the Vulnerable Software and Affected Versions Flask-HTTPAuth versions prior to 4.8.1

Description Flask-HTTPAuth, when used with token authentication, could potentially authenticate client requests against any user in the database with an empty string set as their token if the client request does not include a token or includes an empty token. This occurs because the application's token verification callback function is invoked with an empty string as the token argument. This issue only applies to token authentication and applications that verify tokens by searching for them in a user database. It does not affect Basic or Digest authentication, or tokens verified through cryptographic means.

Recommendations Ensure no user in the user database has their token set to an empty string. Change the value of those tokens to NULL instead. Alternatively, upgrade to Flask-HTTPAuth version 4.8.1 or later.