CVE-2026-49852
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Prior to 1.6.8, joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None, because HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/_rfc7518/jws_algs.py pass the output of OctKey.get_op_key(…) to hmac.new(…) and OctKey.import_key in src/joserfc/_rfc7518/oct_key.py only emits a SecurityWarning for keys shorter than 14 bytes without rejecting zero-length input. This issue is fixed in version 1.6.8.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| authlib | joserfc | < 1.6.8 | affected |
Weaknesses
- CWE-287: CWE-287: Improper Authentication
- CWE-326: CWE-326: Inadequate Encryption Strength
- CWE-1391: CWE-1391: Use of Weak Credentials
References
- https://github.com/authlib/joserfc/security/advisories/GHSA-gg9x-qcx2-xmrh
- https://github.com/authlib/joserfc/commit/86d00910b2b2d2d07503fee9b572906daefab7f1
- https://github.com/authlib/joserfc/releases/tag/1.6.8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.