VDB
DEBIAN-CVE-2026-28490
DEBIAN-CVE-2026-28490
PUBLISHED
CVSS 6.5 MEDIUM
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | python-authlib | 1.2.0-1, 1.2.0-1, 1.2.1-1 |
| Debian:13 | python-authlib | 1.6.1-1, 1.6.0-1, 1.6.0-1+deb13u1 |
| Debian:14 | python-authlib | 0, 1.6.0-1, 1.6.1-1 |
| Debian:11 | python-authlib | 1.6.1-1, 1.6.3-1, 1.6.6-1 |
Timeline
- Mar 16, 2026 CVE Published
- May 11, 2026 CVE Updated