SB2026031735 - Multiple vulnerabilities in Authlib

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-27962)

The vulnerability allows a remote attacker to bypass authentication checks.

The vulnerability exists due to improper validation of HTTP headers. A remote attacker can forge arbitrary JWT tokens that pass signature verification and bypass authentication checks. 

2) Improper validation of integrity check value (CVE-ID: CVE-2026-28498)

The vulnerability allows a remote attacker to bypass authentication checks.

The vulnerability exists due to an error in internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims, which exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. A remote attacker can bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter and bypass validation of OpenID Connect (OIDC) ID Tokens.

3) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2026-28490)

The vulnerability allows a remote attacker to decrypt JWT tokens.

The vulnerability exists due to the JSON Web Encryption (JWE) implementation uses the RSA1_5 key management algorithm without requiring explicit opt-in and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. A remote attacker can decrypt JWT tokens used for authentication successful bypass authentication mechanisms use by OAuth and OpenID Connect servers.

Remediation

Install update from vendor's website.

References

• https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5
• https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j
• https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78