{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28802", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.246Z", "datePublished": "2026-03-06T06:44:26.402Z", "dateUpdated": "2026-03-06T16:05:35.082Z"}, "containers": {"cna": {"title": "Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg"}, {"name": "https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75", "tags": ["x_refsource_MISC"], "url": "https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75"}, {"name": "https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7", "tags": ["x_refsource_MISC"], "url": "https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7"}], "affected": [{"vendor": "authlib", "product": "authlib", "versions": [{"version": ">= 1.6.5, < 1.6.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T06:44:26.402Z"}, "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7."}], "source": {"advisory": "GHSA-7wc2-qxgw-g8gg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T16:00:04.267898Z", "id": "CVE-2026-28802", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:05:35.082Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28802", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T16:00:04.267898Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:00:06.142Z"}}], "cna": {"title": "Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification", "source": {"advisory": "GHSA-7wc2-qxgw-g8gg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "authlib", "product": "authlib", "versions": [{"status": "affected", "version": ">= 1.6.5, < 1.6.7"}]}], "references": [{"url": "https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg", "name": "https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75", "name": "https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7", "name": "https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T06:44:26.402Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28802", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:05:35.082Z", "dateReserved": "2026-03-03T14:25:19.246Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T06:44:26.402Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*", "matchCriteriaId": "1DBAF459-BB6F-4AF1-935B-D9A8D40C643A", "versionEndExcluding": "1.6.7", "versionStartIncluding": "1.6.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7."}], "id": "CVE-2026-28802", "lastModified": "2026-03-09T21:20:56.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T07:16:01.053", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "authlib: Authlib: Signature verification bypass via malicious JWT allows unauthorized access", "id": "2445120", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445120"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-347", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-28802", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/lightspeed-chatbot-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite/foreman-mcp-server-rhel9", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-03-06T06:44:26Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28802\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28802\nhttps://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75\nhttps://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7\nhttps://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.5,1.6.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "authlib", "source": "cna", "vendor": "authlib"}, "product": "authlib", "vendor": "authlib"}], "analysis": {"en": {"generated_at": "2026-04-16T11:30:38.216626+00:00", "value": {"mitigation_remediation": ["Update Authlib to version 1.6.7 or newer.", "Configure the application to reject any JWT whose algorithm is 'none' and require a valid signature for all tokens.", "Audit the JWT handling code to enforce a strict list of accepted algorithms and enable signature verification."], "summary": {"action": "Update to 1.6.7", "impact": "Signature verification bypass via 'alg:none' JWT"}, "threat_synthesis": {"affected_systems": "Authlib library versions from 1.6.5 up to, but not including, 1.6.7 are affected. Applications that use these versions to validate OAuth or OpenID Connect tokens are at risk.", "description_and_impact": "A malicious JWT containing the algorithm field set to 'none' and an empty signature allows an attacker to bypass the signature verification step in Authlib. As a result, forged tokens can be accepted, providing the attacker with unauthorized access and the ability to impersonate other users. The flaw is classified as CWE-347, indicating broken authentication.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.7, indicating high severity. Its EPSS score is less than 1%, signifying a low likelihood of exploitation at present, and it is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a JWT with 'alg:none' and no signature, which can then be processed by any application that relies on Authlib without additional checks."}}}}, "created": "2026-03-06T14:55:34.775774+00:00", "updated": "2026-04-16T11:45:26.258191+00:00", "vendors": ["authlib", "authlib$PRODUCT$authlib"]}