CVE-2026-28490

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22	Patch
https://github.com/authlib/authlib/releases/tag/v1.6.9	Product Release Notes
https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-16 18:16

Updated : 2026-03-17 20:45

NVD link : CVE-2026-28490

Mitre link : CVE-2026-28490

CVE.ORG link : CVE-2026-28490

JSON object : View

Products Affected

authlib

authlib

CWE

CWE-203

Observable Discrepancy

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

{"id": "CVE-2026-28490", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-16T18:16:07.557", "references": [{"url": "https://github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/authlib/authlib/releases/tag/v1.6.9", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-327"}]}], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9."}, {"lang": "es", "value": "Authlib es una biblioteca Python que construye servidores OAuth y OpenID Connect. Antes de la versi\u00f3n 1.6.9, se identific\u00f3 una vulnerabilidad de or\u00e1culo de relleno criptogr\u00e1fico en la biblioteca Python Authlib relacionada con la implementaci\u00f3n del algoritmo de gesti\u00f3n de claves RSA1_5 de JSON Web Encryption (JWE). Authlib registra RSA1_5 en su registro de algoritmos predeterminado sin requerir una aceptaci\u00f3n expl\u00edcita, y destruye activamente la mitigaci\u00f3n de tiempo constante de Bleichenbacher que la biblioteca de criptograf\u00eda subyacente implementa correctamente. Este problema ha sido parcheado en la versi\u00f3n 1.6.9."}], "lastModified": "2026-03-17T20:45:45.573", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C677FEC-2094-49D8-ABAB-F740B6F83D38", "versionEndExcluding": "1.6.9"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}