CVE-2026-28498
Publication date 16 March 2026
Last updated 16 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-authlib | 26.04 LTS resolute |
Fixed 1.6.7-1ubuntu0.1~esm1
|
| 24.04 LTS noble |
Fixed 1.3.0-1ubuntu0.1~esm2
|
|
| 22.04 LTS jammy |
Fixed 0.15.5-1ubuntu0.1~esm2
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
CVSS version:
Base score
8.2 · High
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Base score
9.1 · Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References
Related Ubuntu Security Notices (USN)
- USN-8557-1
- Authlib vulnerabilities
- 16 July 2026