CVE-2026-27962

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27962.json",
    "cwe_ids": [
        "CWE-347"
    ]
}

References

Affected packages

Git / github.com/authlib/authlib

Affected ranges

Type: GIT
Repo: https://github.com/authlib/authlib
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9266eaa2227ad7e21dc731b2a4a01909aabd934b

Affected versions

v0.*

v0.1

v0.10

v0.11

v0.12

v0.13

v0.14

v0.14.1

v0.14.2

v0.14.3

v0.15

v0.2

v0.2.1

v0.3

v0.4

v0.4.1

v0.5

v0.5.1

v0.6

v0.7

v0.8

v0.9

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.2.0

v1.2.1

v1.3.0

v1.3.2

v1.4.0

v1.4.1

v1.5.0

v1.5.1

v1.5.2

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27962.json"

Git / github.com/lepture/authlib