Cyber Resilience

CVE-2026-34531

Medium

Published: 01 April 2026

Published
01 April 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0032 24.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-34531 is a medium-severity Improper Authentication (CWE-287) vulnerability in Miguelgrinberg Flask-Httpauth. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-34531 is a vulnerability in Flask-HTTPAuth, a library that provides Basic, Digest, and Token HTTP authentication for Flask routes. Versions prior to 4.8.1 are affected. The issue occurs when a client requests a token-protected resource without providing a token or with an empty token. In these cases, Flask-HTTPAuth passes an empty string to the application's token verification callback function. If the application has users in its database configured with an empty string as their token, the callback may authenticate the request as one of those users.

A remote attacker without privileges can exploit this vulnerability by sending a request to a token-protected resource either without a token header or with an empty token value. Exploitation requires the target application to have at least one user with an empty token in its database, which represents a misconfiguration. Successful exploitation allows the attacker to impersonate such a user, achieving unauthorized access to protected resources with that user's permissions. The CVSS v3.1 base score is 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N), indicating medium severity primarily due to the high attack complexity stemming from the need for specific application misconfigurations.

The vulnerability has been patched in Flask-HTTPAuth version 4.8.1. Administrators should upgrade to this version or later to mitigate the issue. Official details are provided in the GitHub security advisory at https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg, the release notes for v4.8.1 at https://github.com/miguelgrinberg/Flask-HTTPAuth/releases/tag/v4.8.1, and the fixing commit at https://github.com/miguelgrinberg/flask-httpauth/commit/b15ffe9e50e110d7174ccd944f642079e1dcf9ee.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would…

more

invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing Flask web application library, directly enabling remote exploitation of the app for unauthorized access to protected resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287
CVE-2025-12374Shared CWE-287
CVE-2025-15484Shared CWE-287

Affected Assets

miguelgrinberg
flask-httpauth
≤ 4.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws such as this authentication vulnerability in Flask-HTTPAuth by patching to version 4.8.1 or later.

prevent

Mandates management of authenticators like tokens to enforce minimum strength requirements, preventing empty tokens that enable exploitation.

prevent

Ensures account management processes review and prohibit misconfigurations such as users with empty token values in the database.

References