Critical severityNVD Advisory· Published Mar 16, 2026· Updated Mar 18, 2026

Authlib JWS JWK Header Injection: Signature Verification Bypass

CVE-2026-27962

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
authlibPyPI	< 1.6.9	1.6.9

Affected products

Authlib/Authlibv5
Range: < 1.6.9

Patches

a5d4b2d4c9e4

fix(jose): do not use header's jwk automatically

https://github.com/authlib/authlibHsiaoming YangFeb 25, 2026via ghsa

commit

2 files changed · +0 −4

authlib/jose/rfc7515/jws.py+0 −2 modified

@@ -269,8 +269,6 @@ def _prepare_algorithm_key(self, header, payload, key):
         algorithm = self.ALGORITHMS_REGISTRY[alg]
         if callable(key):
             key = key(header, payload)
-        elif key is None and "jwk" in header:
-            key = header["jwk"]
         key = algorithm.prepare_key(key)
         return algorithm, key

authlib/jose/rfc7516/jwe.py+0 −2 modified

@@ -754,6 +754,4 @@ def _validate_private_headers(self, header, alg):
 def prepare_key(alg, header, key):
     if callable(key):
         key = key(header, None)
-    elif key is None and "jwk" in header:
-        key = header["jwk"]
     return alg.prepare_key(key)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-wvwj-cvrp-7pv5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-27962ghsaADVISORY
github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681ghsax_refsource_MISCWEB
github.com/authlib/authlib/releases/tag/v1.6.9ghsax_refsource_MISCWEB
github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000