CVE-2026-27962
CRITICAL9.1EPSS 0.08%Authlib JWS JWK Header Injection: Signature Verification Bypass
描述
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.
受影響套件(2)
- Debian/python-authlibfrom 0, < 0.15.4-1+deb11u2
- PyPI/authlibfrom 0, < 1.6.9
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-27962
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-27962
- PATCHhttps://github.com/authlib/authlib
- WEBhttps://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681
- WEBhttps://github.com/authlib/authlib/releases/tag/v1.6.9
- WEBhttps://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5