Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.
Published: 2026-03-16
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Immediately
AI Analysis

Impact

The vulnerability lies in Authlib's internal hash verification logic (_verify_hash) used to validate OpenID Connect ID Token claims such as at_hash and c_hash. When this logic encounters an unsupported or unknown cryptographic algorithm, the library fails open and quietly returns True, accepting the token as valid. This flaw permits an attacker to construct a forged ID token with a deliberately unrecognized "alg" header parameter, bypassing all mandated integrity checks and violating OIDC specifications. The consequence is the ability to impersonate users or authorize actions without proper authentication, thereby granting unauthorized access to protected resources. The weakness is identified as CWE-354 and CWE-573.

Affected Systems

Authlib, the popular Python OAuth/OpenID Connect library, is affected. All releases prior to version 1.6.9 contain the flaw; the vulnerability has been fixed in Authlib 1.6.9. Any application or service that integrates Authlib 1.6.8 or earlier and performs ID token validation is potentially vulnerable.

Risk and Exploitability

The CVSS score is 8.2, indicating high severity. EPSS is less than 1%, so exploitation probability is currently low. The vulnerability is not listed in the CISA KEV catalog. The likely attack path is an adversary supplying a forged ID token to an application that relies on Authlib for token validation. Because the flaw results in silent acceptance of unsupported algorithms, no further conditions such as elevated privileges or network reconnaissance are required to exploit it.

Generated by OpenCVE AI on March 17, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Authlib to version 1.6.9 or newer
  • Ensure that your OIDC token validation logic rejects unsupported or unknown algorithms
  • Check the provider's website or release notes regularly for future updates or patches

Generated by OpenCVE AI on March 17, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m344-f55w-2m6j Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding
History

Tue, 17 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Authlib
Authlib authlib
Vendors & Products Authlib
Authlib authlib

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.
Title Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding
Weaknesses CWE-354
CWE-573
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Authlib Authlib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T18:14:42.149Z

Reserved: 2026-02-27T20:57:47.708Z

Link: CVE-2026-28498

cve-icon Vulnrichment

Updated: 2026-03-16T18:14:33.935Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T18:16:07.717

Modified: 2026-03-17T20:40:37.573

Link: CVE-2026-28498

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-16T18:03:28Z

Links: CVE-2026-28498 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:03Z

Weaknesses