CVE-2026-27962
Published: 16 March 2026
Summary
CVE-2026-27962 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Authlib Authlib. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-12 (Cryptographic Key Establishment and Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the specific JWK Header Injection flaw in Authlib versions prior to 1.6.9, eliminating the vulnerability.
Mandates secure establishment and management of cryptographic keys, preventing reliance on attacker-supplied public keys embedded in JWT jwk headers.
Implements cryptographic mechanisms to protect JWT token integrity, countering forged signatures that bypass verification due to improper key extraction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing OAuth/OIDC server via JWS deserialization (T1190); enables forging of accepted JWT authentication tokens via jwk header key injection (T1606).
NVD Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None…
more
is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.
Deeper analysisAI
CVE-2026-27962 is a JWK Header Injection vulnerability in the JWS implementation of Authlib, a Python library used to build OAuth and OpenID Connect servers. The flaw affects versions prior to 1.6.9. It occurs when the key=None parameter is passed to any JWS deserialization function, causing the library to extract and use a cryptographic key embedded in the attacker-controlled JWT jwk header field, enabling forged tokens to pass signature verification.
An unauthenticated attacker can exploit this vulnerability over the network with low complexity and no privileges required. By signing a JWT token with their own private key and embedding the matching public key in the jwk header, the attacker can produce arbitrary tokens that the server accepts as cryptographically valid. This bypasses authentication and authorization entirely, leading to high impacts on confidentiality and integrity, as reflected in the CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). The issue is classified under CWE-347.
The vulnerability has been patched in Authlib version 1.6.9. Security advisories recommend updating to this version or later to mitigate the issue. Relevant resources include the GitHub security advisory at https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5, release notes at https://github.com/authlib/authlib/releases/tag/v1.6.9, and the fixing commit at https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681.
Details
- CWE(s)