CVE-2026-49852

Summary

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Prior to 1.6.8, joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None, because HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/_rfc7518/jws_algs.py pass the output of OctKey.get_op_key(…) to hmac.new(…) and OctKey.import_key in src/joserfc/_rfc7518/oct_key.py only emits a SecurityWarning for keys shorter than 14 bytes without rejecting zero-length input. This issue is fixed in version 1.6.8.

Affected Software

VendorProductVersion RangeStatus
authlibjoserfc< 1.6.8affected

Weaknesses

  • CWE-287: CWE-287: Improper Authentication
  • CWE-326: CWE-326: Inadequate Encryption Strength
  • CWE-1391: CWE-1391: Use of Weak Credentials

References