CVE-2026-28802

UNKNOWN 0.0

Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.

CWE	CWE-347
Vendor	authlib
Product	authlib
Published	Mar 6, 2026
Last Updated	Mar 6, 2026

Stay Ahead of the Next One

Get instant alerts for authlib authlib

Be the first to know when new unknown vulnerabilities affecting authlib authlib are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

authlib / authlib

>= 1.6.5, < 1.6.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg github.com: https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75 github.com: https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7