cbcvebase.
CVE-2026-27962
published 2026-03-16

CVE-2026-27962: Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS…

PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.55%
41.7th percentile
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

Affected

3 ranges
VendorProductVersion rangeFixed in
authlibauthlib< 1.6.91.6.9
authlibauthlib>= 0 < 1.6.91.6.9
debianpython-authlib< python-authlib 1.6.9-1 (forky)python-authlib 1.6.9-1 (forky)

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: the vulnerable code path is reached when `key=None` is passed to any JWS deserialization function (e.g., `jws.deserialize_compact()`), causing authlib to extract and trust the cryptographic key from the attacker-controlled `jwk` JWT header field.
  • Attack pattern: look for JWT tokens containing a `jwk` header field with an embedded public key — this is the attacker's self-signed key used to forge tokens that bypass signature verification.
  • Audit all code paths in applications using authlib where `jws.deserialize_compact()` or any JWS deserialization function is called with `key=None` or without an explicit key argument — these are exploitable entry points.
  • ·Only authlib versions prior to 1.6.9 are vulnerable. Upgrade to 1.6.9 or later to remediate. Debian `forky` and `sid` are resolved at 1.6.9-1; `bookworm`, `bullseye`, and `trixie` remain open.
  • ·Applications that never call JWS deserialization with `key=None` are not exploitable. Red Hat Satellite's use of `jwt.decode()` (not `jws.deserialize_compact()`) is confirmed not reachable even with `key=None`.
  • ·Applications that use authlib only as a JWK parsing utility and delegate JWT signature verification to a separate library (e.g., PyJWT) are not affected by this vulnerability.
  • ·Authlib present only as a transitive dev dependency (not in production builds) is not affected.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.