๐Ÿ” CVE Alert

CVE-2026-49852

UNKNOWN 0.0

joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Prior to 1.6.8, joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None, because HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/_rfc7518/jws_algs.py pass the output of OctKey.get_op_key(...) to hmac.new(...) and OctKey.import_key in src/joserfc/_rfc7518/oct_key.py only emits a SecurityWarning for keys shorter than 14 bytes without rejecting zero-length input. This issue is fixed in version 1.6.8.

CWE CWE-287 CWE-326 CWE-1391
Vendor authlib
Product joserfc
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for authlib joserfc

Be the first to know when new unknown vulnerabilities affecting authlib joserfc are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

authlib / joserfc
< 1.6.8

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/authlib/joserfc/security/advisories/GHSA-gg9x-qcx2-xmrh github.com: https://github.com/authlib/joserfc/commit/86d00910b2b2d2d07503fee9b572906daefab7f1 github.com: https://github.com/authlib/joserfc/releases/tag/1.6.8