GHSA-p44q-vqpr-4xmg

Source

https://github.com/advisories/GHSA-p44q-vqpr-4xmg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p44q-vqpr-4xmg/GHSA-p44q-vqpr-4xmg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p44q-vqpr-4xmg

Aliases

CVE-2026-34531

Published

2026-03-31T23:48:02Z

Modified

2026-04-06T17:36:41.025673Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Summary

Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client

Details

Summary

In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users.

Notes

This issue applies only to token authentication
This issue applies only when the application verifies tokens by searching for them in a user database.
This issue applies only if the application stores empty strings as user tokens when the user does not have an assigned token. It does not apply if the application sets those tokens to NULL instead.
Tokens that are verified through cryptographic means (such as JWTs) are not affected by this issue.
Basic and Digest authentication are not affected by this issue.

Remediation

To protect against this issue, developers should make sure that no user in the user database has their token set to an empty string. If there are such users, change the value of those tokens to NULL instead.

Alternatively, developers can upgrade their projects to Flask-HTTPAuth>=4.8.1, which fixes this issue.

Database specific

{
    "cwe_ids": [
        "CWE-287"
    ],
    "github_reviewed_at": "2026-03-31T23:48:02Z",
    "nvd_published_at": "2026-04-01T21:17:01Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

PyPI / flask-httpauth

Package

Name: flask-httpauth; View open source insights on deps.dev
Purl: pkg:pypi/flask-httpauth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.8.1

Affected versions

1.*

1.0.0

1.1.0

2.*

2.0.0

2.1.0

2.2.0

2.2.1

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.7.1

2.7.2

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.3.0

4.*

4.0.0

4.1.0

4.2.0

4.3.0

4.4.0

4.5.0

4.6.0

4.7.0

4.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p44q-vqpr-4xmg/GHSA-p44q-vqpr-4xmg.json"

last_known_affected_version_range

"<= 4.8.0"