CVE-2026-28498

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b	Patch
https://github.com/authlib/authlib/releases/tag/v1.6.9	Product Release Notes
https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*

History

17 Mar 2026, 20:40

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b -~~	() https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b - Patch
References	~~() https://github.com/authlib/authlib/releases/tag/v1.6.9 -~~	() https://github.com/authlib/authlib/releases/tag/v1.6.9 - Product, Release Notes
References	~~() https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j -~~	() https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j - Exploit, Mitigation, Vendor Advisory
CPE		cpe:2.3:a:authlib:authlib::::::::
First Time		Authlib authlib Authlib

16 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 18:16

Updated : 2026-03-17 20:40

NVD link : CVE-2026-28498

Mitre link : CVE-2026-28498

CVE.ORG link : CVE-2026-28498

JSON object : View

Products Affected

authlib

authlib

CWE

CWE-354

Improper Validation of Integrity Check Value

CWE-573

Improper Following of Specification by Caller

7.5 /10