UBUNTU-CVE-2026-34531

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-34531

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34531.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-34531

Upstream

CVE-2026-34531

Published

2026-04-01T21:17:00Z

Modified

2026-05-20T16:25:34.123435008Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1.

References

Affected packages

Ubuntu:16.04:LTS

python-flask-httpauth

Package

Name: python-flask-httpauth
Purl: pkg:deb/ubuntu/python-flask-httpauth?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-flask-httpauth",
            "binary_version": "2.2.1-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34531.json"

Ubuntu:18.04:LTS

python-flask-httpauth

Package

Name: python-flask-httpauth
Purl: pkg:deb/ubuntu/python-flask-httpauth?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.2.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python-flask-httpauth",
            "binary_version": "3.2.1-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34531.json"

Ubuntu:20.04:LTS

python-flask-httpauth

Package

Name: python-flask-httpauth
Purl: pkg:deb/ubuntu/python-flask-httpauth?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.2.4-3

3.2.4-3.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-flask-httpauth",
            "binary_version": "3.2.4-3.1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34531.json"

Ubuntu:22.04:LTS

python-flask-httpauth

Package

Name: python-flask-httpauth
Purl: pkg:deb/ubuntu/python-flask-httpauth?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.2.4-3.1

4.*

4.5.0-1

4.5.0-2

4.5.0-3

4.5.0-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-flask-httpauth",
            "binary_version": "4.5.0-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34531.json"

Ubuntu:24.04:LTS

python-flask-httpauth

Package

Name: python-flask-httpauth
Purl: pkg:deb/ubuntu/python-flask-httpauth?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.5.0-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-flask-httpauth",
            "binary_version": "4.5.0-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34531.json"

Ubuntu:25.10

python-flask-httpauth

Package

Name: python-flask-httpauth
Purl: pkg:deb/ubuntu/python-flask-httpauth?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.8.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-flask-httpauth",
            "binary_version": "4.8.0-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34531.json"

Ubuntu:26.04:LTS

python-flask-httpauth

Package

Name: python-flask-httpauth
Purl: pkg:deb/ubuntu/python-flask-httpauth?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.8.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "python3-flask-httpauth",
            "binary_version": "4.8.0-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-34531.json"