SB2026032421 - SUSE update for python-Authlib

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026032421

SB2026032421 - SUSE update for python-Authlib

Published: March 24, 2026

Security Bulletin ID SB2026032421
CSH Severity
Critical
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Critical 33% High 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-27962)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Red


The vulnerability allows a remote attacker to bypass authentication checks.

The vulnerability exists due to improper validation of HTTP headers. A remote attacker can forge arbitrary JWT tokens that pass signature verification and bypass authentication checks. 


2) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2026-28490)

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to decrypt JWT tokens.

The vulnerability exists due to the JSON Web Encryption (JWE) implementation uses the RSA1_5 key management algorithm without requiring explicit opt-in and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. A remote attacker can decrypt JWT tokens used for authentication successful bypass authentication mechanisms use by OAuth and OpenID Connect servers.


3) Improper validation of integrity check value (CVE-ID: CVE-2026-28498)

CWE-ID: CWE-354 - Improper Validation of Integrity Check Value

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass authentication checks.

The vulnerability exists due to an error in internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims, which exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. A remote attacker can bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter and bypass validation of OpenID Connect (OIDC) ID Tokens.


Remediation

Install update from vendor's website.

References