CVE-2026-28498Improper Validation of Integrity Check Value in Authlib

CWE-354Improper Validation of Integrity Check ValueCWE-573Improper Following of Specification by CallerCWE-325Missing Cryptographic Step8 documents7 sources
Severity
8.2HIGHNVD
EPSS
0.0%
top 96.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
AuthlibDebian Python-authlib
Timeline
PublishedMar 16
Latest updateApr 15

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorit

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

debiandebian/python-authlib< python-authlib 1.6.9-1 (forky)
NVDauthlib/authlib< 1.6.9
PyPIauthlib/authlib< 1.6.9

Patches

Patch: github.com

🔴Vulnerability Details

4
VulDB
Authlib up to 1.6.8 Header Parameter integrity check (Nessus ID 302537 / WID-SEC-2026-0935)2026-04-15
OSV
Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding2026-03-16
OSV
CVE-2026-28498: Authlib is a Python library which builds OAuth and OpenID Connect servers2026-03-16
GHSA
Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding2026-03-16

📋Vendor Advisories

2
Red Hat
authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens2026-03-16
Debian
CVE-2026-28498: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-28498 Impact, Exploitability, and Mitigation Steps | Wiz