Authlib JWS JWK Header Injection: Signature Verification Bypass
Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
authlibPyPI | < 1.6.9 | 1.6.9 |
Affected products
7- ghsa-coords6 versionspkg:pypi/authlibpkg:rpm/opensuse/python-Authlib&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-Authlib&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/python-Authlib&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python-Authlib&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/python-Authlib&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6
< 1.6.9+ 5 more
- (no CPE)range: < 1.6.9
- (no CPE)range: < 1.3.1-150600.3.17.1
- (no CPE)range: < 1.5.2-bp160.3.1
- (no CPE)range: < 1.3.1-150600.3.17.1
- (no CPE)range: < 1.3.1-150600.3.17.1
- (no CPE)range: < 1.3.1-150600.3.17.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-wvwj-cvrp-7pv5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27962ghsaADVISORY
- github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681ghsax_refsource_MISCWEB
- github.com/authlib/authlib/releases/tag/v1.6.9ghsax_refsource_MISCWEB
- github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.