CVE-2026-34531: Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client
(updated )
In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application’s token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users.
References
- github.com/advisories/GHSA-p44q-vqpr-4xmg
- github.com/miguelgrinberg/Flask-HTTPAuth
- github.com/miguelgrinberg/Flask-HTTPAuth/releases/tag/v4.8.1
- github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg
- github.com/miguelgrinberg/flask-httpauth/commit/b15ffe9e50e110d7174ccd944f642079e1dcf9ee
- nvd.nist.gov/vuln/detail/CVE-2026-34531
Code Behaviors & Features
Detect and mitigate CVE-2026-34531 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →