{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-26T01:38:14.891","vulnerabilities":[{"cve":{"id":"CVE-2026-28498","sourceIdentifier":"security-advisories@github.com","published":"2026-03-16T18:16:07.717","lastModified":"2026-06-17T10:28:44.923","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9."},{"lang":"es","value":"Authlib es una biblioteca Python que construye servidores OAuth y OpenID Connect. Antes de la versión 1.6.9, se identificó una vulnerabilidad a nivel de biblioteca en la biblioteca Python Authlib con respecto a la validación de los tokens de ID de OpenID Connect (OIDC). Específicamente, la lógica interna de verificación de hash (_verify_hash) responsable de validar las reclamaciones at_hash (Hash de Token de Acceso) y c_hash (Hash de Código de Autorización) exhibe un comportamiento fail-open al encontrar un algoritmo criptográfico no compatible o desconocido. Esta falla permite a un atacante eludir las protecciones de integridad obligatorias al suministrar un token de ID falsificado con un parámetro de encabezado alg deliberadamente no reconocido. La biblioteca intercepta el estado no compatible y devuelve silenciosamente True (validación aprobada), violando inherentemente los principios fundamentales de diseño criptográfico y las especificaciones directas de OIDC. Este problema ha sido parcheado en la versión 1.6.9."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"authlib","product":"authlib","versions":[{"version":"< 1.6.9","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-16T18:14:21.039703Z","id":"CVE-2026-28498","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-354"},{"lang":"en","value":"CWE-573"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*","versionEndExcluding":"1.6.9","matchCriteriaId":"8C677FEC-2094-49D8-ABAB-F740B6F83D38"}]}]}],"references":[{"url":"https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/authlib/authlib/releases/tag/v1.6.9","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}