Debian Python-Authlib vulnerabilities

9 known vulnerabilities affecting debian/python-authlib.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH5MEDIUM2LOW1

Vulnerabilities

Page 1 of 1
CVE-2026-27962CRITICALCVSS 9.1fixed in python-authlib 1.6.9-1 (forky)2026
CVE-2026-27962 [CRITICAL] CVE-2026-27962: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior... Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses
debian
CVE-2026-28490HIGHCVSS 8.3fixed in python-authlib 1.6.9-1 (forky)2026
CVE-2026-28490 [HIGH] CVE-2026-28490: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior... Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring
debian
CVE-2026-28498HIGHCVSS 8.2fixed in python-authlib 1.6.9-1 (forky)2026
CVE-2026-28498 [HIGH] CVE-2026-28498: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior... Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash)
debian
CVE-2026-28802LOWCVSS 7.7fixed in python-authlib 1.6.7-1 (forky)2026
CVE-2026-28802 [HIGH] CVE-2026-28802: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. From ... Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in
debian
CVE-2025-59420HIGHCVSS 7.5fixed in python-authlib 0.15.4-1+deb11u1 (bullseye)2025
CVE-2025-59420 [HIGH] CVE-2025-59420: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior... Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject
debian
CVE-2025-61920HIGHCVSS 7.5fixed in python-authlib 0.15.4-1+deb11u1 (bullseye)2025
CVE-2025-61920 [HIGH] CVE-2025-61920: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior... Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input bef
debian
CVE-2025-62706MEDIUMCVSS 6.5fixed in python-authlib 0.15.4-1+deb11u1 (bullseye)2025
CVE-2025-62706 [MEDIUM] CVE-2025-62706: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior... Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service.
debian
CVE-2025-68158MEDIUMCVSS 5.7fixed in python-authlib 1.6.6-1 (forky)2025
CVE-2025-68158 [MEDIUM] CVE-2025-68158: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. In ve... Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth c
debian
CVE-2024-37568HIGHCVSS 7.4fixed in python-authlib 0.15.4-1+deb11u1 (bullseye)2024
CVE-2024-37568 [HIGH] CVE-2024-37568: python-authlib - lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys... lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.) Scope: local bookworm: open bullseye: resolved (fixed in 0.15.4-1+deb11u1) forky: resolved (fixed in 1.3.1-
debian