CVE-2026-28498— Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-28498
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding
Source: NVD (National Vulnerability Database)
Vulnerability Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
完整性检查值验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Authlib 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Authlib是Authlib开源的一个构建 OAuth 和 OpenID Connect 服务器的终极 Python 库。 Authlib 1.6.9之前版本存在安全漏洞,该漏洞源于OpenID Connect ID令牌验证逻辑存在失败开放行为,可能导致攻击者通过提供伪造令牌绕过完整性保护。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-28498
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-28498
请登录查看更多情报信息。
- Release v1.6.9 · authlib/authlib · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-28498
Same Patch Batch · authlib · 2026-03-16 · 3 CVEs total
| CVE-2026-27962 | 9.1 CRITICAL | Authlib JWS JWK Header Injection: Signature Verification Bypass |
| CVE-2026-28490 | Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle |
IV. Related Vulnerabilities
Same product: authlib
- CVE-2026-41425
Authlib: Cross-site request forging when using cache - CVE-2026-28490
Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Orac - CVE-2026-27962
Authlib JWS JWK Header Injection: Signature Verification Byp - CVE-2026-28802
Authlib: Setting `alg: none` and a blank signature appears t - CVE-2025-68158
Authlib: 1-click Account Takeover
Same vendor: authlib
- CVE-2026-41425
Authlib: Cross-site request forging when using cache - CVE-2026-28490
Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Orac - CVE-2026-27962
Authlib JWS JWK Header Injection: Signature Verification Byp - CVE-2026-28802
Authlib: Setting `alg: none` and a blank signature appears t - CVE-2026-27932
joserfc PBES2 p2c Unbounded Iteration Count enables Denial o
Same weakness: CWE-354
- CVE-2026-8597
Missing integrity verification in Triton inference handler i - CVE-2026-32148
Lockfile checksums not verified in Hex allows dependency int - CVE-2026-32105
xrdp: RDP MAC signature (dataSignature) never verified on re - CVE-2026-5479
wolfSSL EVP ChaCha20-Poly1305 AEAD authentication tag - CVE-2026-5504
PKCS7 CBC Padding Oracle — Plaintext Recovery
V. Comments for CVE-2026-28498
No comments yet