Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
Authlib: Malicious JWTs Can Bypass Security Checks in Older Versions
CVE-2026-28802
GHSA-7wc2-qxgw-g8gg
GHSA-7wc2-qxgw-g8gg
Summary
Older versions of Authlib, a library used to build OAuth and OpenID Connect servers, can be tricked into accepting fake security tokens. This could allow attackers to bypass security checks. Update to version 1.6.7 or later to fix this issue.
What to do
- Update authlib to version 1.6.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | authlib | > 1.6.5 , <= 1.6.6 | 1.6.7 |
| – | authlib | > 1.6.5 , <= 1.6.7 | 1.6.7 |
| authlib | authlib | > 1.6.5 , <= 1.6.7 | – |
Original title
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an e...
Original description
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.
nvd CVSS4.0
7.7
Vulnerability type
CWE-347
Improper Verification of Cryptographic Signature
- https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a...
- https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761d...
- https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg
- https://github.com/advisories/GHSA-7wc2-qxgw-g8gg
- https://nvd.nist.gov/vuln/detail/CVE-2026-28802
- https://github.com/authlib/authlib Product
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026