CVE-2026-49852
HIGH
8.7
CVSS 4.0
Description
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Prior to 1.6.8, joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None, because HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/_rfc7518/jws_algs.py pass the output of OctKey.get_op_key(...) to hmac.new(...) and OctKey.import_key in src/joserfc/_rfc7518/oct_key.py only emits a SecurityWarning for keys shorter than 14 bytes without rejecting zero-length input. This issue is fixed in version 1.6.8.
Metadata
Severity & Metrics
8.7
HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| authlib | joserfc | — | < 1.6.8 |
Weakness (CWE)
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 8.7 | HIGH | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
References (3)
- https://github.com/authlib/joserfc/security/advisories/GHSA-gg9x-qcx2-xmrh https://github.com/authlib/joserfc/security/advisories/GHSA-gg9x-qcx2-xmrh
- https://github.com/authlib/joserfc/commit/86d00910b2b2d2d07503fee9b572906daefab7f1 https://github.com/authlib/joserfc/commit/86d00910b2b2d2d07503fee9b572906daefab7f1
- https://github.com/authlib/joserfc/releases/tag/1.6.8 https://github.com/authlib/joserfc/releases/tag/1.6.8