Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Authlib: Malicious JWTs Can Bypass Signature Verification
DEBIAN-CVE-2026-28802
Summary
A bug in Authlib allowed malicious tokens to be accepted as valid, even if they had no digital signature. This could potentially allow attackers to impersonate users or access unauthorized data. Update to version 1.6.7 or later to fix the issue.
What to do
- Update debian python-authlib to version 1.6.7-1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | python-authlib | All versions | – |
| debian | python-authlib | All versions | – |
| debian | python-authlib | <= 1.6.7-1 | 1.6.7-1 |
Original title
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an e...
Original description
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.
osv CVSS3.1
9.8
- https://security-tracker.debian.org/tracker/CVE-2026-28802 Vendor Advisory
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026