| Name | CVE-2026-28802 |
| Description | Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| python-authlib (PTS) | bullseye | 0.15.4-1 | vulnerable |
| bullseye (security) | 0.15.4-1+deb11u1 | vulnerable | |
| bookworm | 1.2.0-1 | fixed | |
| trixie | 1.6.0-1 | vulnerable | |
| forky, sid | 1.6.9-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| python-authlib | source | bookworm | (not affected) | |||
| python-authlib | source | (unstable) | 1.6.7-1 |
[bookworm] - python-authlib <not-affected> (Vulnerable code not present)
https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg
Introduced with: https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75 (v1.6.0)
Fixed by: https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7 (v1.6.7)