VYPR
Critical severityNVD Advisory· Published Mar 16, 2026· Updated Mar 18, 2026

Authlib JWS JWK Header Injection: Signature Verification Bypass

CVE-2026-27962

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
authlibPyPI
< 1.6.91.6.9

Affected products

7

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.