CVE-2026-34531
Published: 01 April 2026
Summary
CVE-2026-34531 is a medium-severity Improper Authentication (CWE-287) vulnerability in Miguelgrinberg Flask-Httpauth. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-34531 is a vulnerability in Flask-HTTPAuth, a library that provides Basic, Digest, and Token HTTP authentication for Flask routes. Versions prior to 4.8.1 are affected. The issue occurs when a client requests a token-protected resource without providing a token or with an empty token. In these cases, Flask-HTTPAuth passes an empty string to the application's token verification callback function. If the application has users in its database configured with an empty string as their token, the callback may authenticate the request as one of those users.
A remote attacker without privileges can exploit this vulnerability by sending a request to a token-protected resource either without a token header or with an empty token value. Exploitation requires the target application to have at least one user with an empty token in its database, which represents a misconfiguration. Successful exploitation allows the attacker to impersonate such a user, achieving unauthorized access to protected resources with that user's permissions. The CVSS v3.1 base score is 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N), indicating medium severity primarily due to the high attack complexity stemming from the need for specific application misconfigurations.
The vulnerability has been patched in Flask-HTTPAuth version 4.8.1. Administrators should upgrade to this version or later to mitigate the issue. Official details are provided in the GitHub security advisory at https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg, the release notes for v4.8.1 at https://github.com/miguelgrinberg/Flask-HTTPAuth/releases/tag/v4.8.1, and the fixing commit at https://github.com/miguelgrinberg/flask-httpauth/commit/b15ffe9e50e110d7174ccd944f642079e1dcf9ee.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18056
Vulnerability details
Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would…
more
invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing Flask web application library, directly enabling remote exploitation of the app for unauthorized access to protected resources.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws such as this authentication vulnerability in Flask-HTTPAuth by patching to version 4.8.1 or later.
Mandates management of authenticators like tokens to enforce minimum strength requirements, preventing empty tokens that enable exploitation.
Ensures account management processes review and prohibit misconfigurations such as users with empty token values in the database.