SB2026022671 - Ubuntu update for python-authlib

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026022671

SB2026022671 - Ubuntu update for python-authlib

Published: February 26, 2026

Security Bulletin ID SB2026022671
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 20% Medium 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Cryptographic issues (CVE-ID: CVE-2024-37568)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key.


2) Incorrect authorization (CVE-ID: CVE-2025-59420)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to Authlib's JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 "must‑understand" semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation.


3) Resource exhaustion (CVE-ID: CVE-2025-61920)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the way the Authlib's JOSE implementation handles untrusted input. A remote non-authenticated attacker can send overly large amount of data via unbounded JWS/JWT header and signature segments to the application and consume memory and CPU resources, leading to a denial of service condition. 


4) Resource exhaustion (CVE-ID: CVE-2025-62706)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to Authlib's JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt. A remote user can supply decryptable tokens and exhaust memory and CPU resources, leading to denial of service conditions. 


5) Cross-site request forgery (CVE-ID: CVE-2025-68158)

The vulnerability allows a remote user to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in authlib/integrations/base_client/framework_integration.py. A remote user can trick the victim to visit a specially crafted web page and perform account takeover. 


Remediation

Install update from vendor's website.

References