CVE-2026-28490— Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-28490
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle
Source: NVD (National Vulnerability Database)
Vulnerability Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过差异性导致的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Authlib 加密问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Authlib是Authlib开源的一个构建 OAuth 和 OpenID Connect 服务器的终极 Python 库。 Authlib 1.6.9之前版本存在加密问题漏洞,该漏洞源于JSON Web Encryption RSA1_5密钥管理算法实现存在加密填充预言机漏洞,可能破坏底层密码库的恒定时间缓解措施。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-28490
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-28490
请登录查看更多情报信息。
- Release v1.6.9 · authlib/authlib · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-28490
Same Patch Batch · authlib · 2026-03-16 · 3 CVEs total
| CVE-2026-27962 | 9.1 CRITICAL | Authlib JWS JWK Header Injection: Signature Verification Bypass |
| CVE-2026-28498 | Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding |
IV. Related Vulnerabilities
Same product: authlib
- CVE-2026-41425
Authlib: Cross-site request forging when using cache - CVE-2026-28498
Authlib: Fail-Open Cryptographic Verification in OIDC Hash B - CVE-2026-27962
Authlib JWS JWK Header Injection: Signature Verification Byp - CVE-2026-28802
Authlib: Setting `alg: none` and a blank signature appears t - CVE-2025-68158
Authlib: 1-click Account Takeover
Same vendor: authlib
- CVE-2026-41425
Authlib: Cross-site request forging when using cache - CVE-2026-28498
Authlib: Fail-Open Cryptographic Verification in OIDC Hash B - CVE-2026-27962
Authlib JWS JWK Header Injection: Signature Verification Byp - CVE-2026-28802
Authlib: Setting `alg: none` and a blank signature appears t - CVE-2026-27932
joserfc PBES2 p2c Unbounded Iteration Count enables Denial o
Same weakness: CWE-203
- CVE-2026-44263
Weblate: Private Translation Enumeration via Screenshot API - CVE-2023-5872
Wago: Vulnerability in Smart Designer Web-Application - CVE-2026-33429
Parse Server: Protected field change detection oracle via Li - CVE-2026-33425
Discourse has inferable private group membership or existenc - CVE-2026-3580
Compiler-induced timing leak in sp_256_get_entry_256_9 on RI
V. Comments for CVE-2026-28490
No comments yet