CVE-2026-49852
joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Prior to 1.6.8, joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None, because HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/_rfc7518/jws_algs.py pass the output of OctKey.get_op_key(...) to hmac.new(...) and OctKey.import_key in src/joserfc/_rfc7518/oct_key.py only emits a SecurityWarning for keys shorter than 14 bytes without rejecting zero-length input. This issue is fixed in version 1.6.8.
| CWE | CWE-287 CWE-326 CWE-1391 |
| Vendor | authlib |
| Product | joserfc |
| Published | Jul 17, 2026 |
Get instant alerts for authlib joserfc
Be the first to know when new unknown vulnerabilities affecting authlib joserfc are published โ delivered to Slack, Telegram or Discord.