CVE-2024-37568 — Improper Access Control in Authlib

CWE-284 — Improper Access Control CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-347 — Improper Verification of Cryptographic Signature7 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 67.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Authlib Debian Python-authlib

Timeline

PublishedJun 9

Latest updateFeb 25

Description

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDauthlib/authlib< 1.3.1

▶PyPIauthlib/authlib< 1.3.1

▶debiandebian/python-authlib< python-authlib 0.15.4-1+deb11u1 (bullseye)

🔴Vulnerability Details

OSV

python-authlib vulnerabilities↗2026-02-25

▶

OSV

CVE-2024-37568: lepture Authlib before 1↗2024-06-09

▶

OSV

Authlib has algorithm confusion with asymmetric public keys↗2024-06-09

▶

GHSA

Authlib has algorithm confusion with asymmetric public keys↗2024-06-09

▶

📋Vendor Advisories

Ubuntu

Authlib vulnerabilities↗2026-02-25

▶

Debian

CVE-2024-37568: python-authlib - lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys...↗2024

▶