CVE-2026-28802: Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification
(updated )
After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.5) it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.
References
- github.com/advisories/GHSA-7wc2-qxgw-g8gg
- github.com/authlib/authlib
- github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75
- github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7
- github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg
- nvd.nist.gov/vuln/detail/CVE-2026-28802
Code Behaviors & Features
Detect and mitigate CVE-2026-28802 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →