VDB

CVE-2026-28498

CVE-2026-28498 PUBLISHED CVSS 8.199999809265137 HIGH

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.

EPSS 0.03% · 8.9th percentile

Risk Scores

CVSS 4.0
8.199999809265137
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.03%
8.9th percentile

Affected Products

VendorProductVersions
PyPIauthlib0, 0, 0
authlibauthlib< 1.6.9, 0, < 1.6.9

Exploit Intelligence

…and 10 more exploits

Timeline

  • Mar 16, 2026 CVE Published
  • Mar 17, 2026 EPSS Score
  • Mar 17, 2026 Coalition ESS Score
  • Mar 17, 2026 Security Advisory
  • Mar 18, 2026 EPSS Score
  • Mar 18, 2026 PoC Published
  • Mar 19, 2026 EPSS Score
  • Mar 20, 2026 EPSS Score
  • Mar 21, 2026 EPSS Score
  • Mar 22, 2026 EPSS Score
  • Mar 23, 2026 EPSS Score
  • Mar 24, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›