Back to overview

CVE-2026-49852

HIGH
8.7
CVSS 4.0
Description
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Prior to 1.6.8, joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None, because HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/_rfc7518/jws_algs.py pass the output of OctKey.get_op_key(...) to hmac.new(...) and OctKey.import_key in src/joserfc/_rfc7518/oct_key.py only emits a SecurityWarning for keys shorter than 14 bytes without rejecting zero-length input. This issue is fixed in version 1.6.8.

Metadata

CVE ID
CVE-2026-49852
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-01 22:03 UTC
Published
2026-07-17 19:14 UTC
Last updated
2026-07-17 19:14 UTC
Primary CWE
CWE-287
CWE-287: Improper Authentication
Vendor / Product
authlib / joserfc
Sources
cve.org  ·  NVD

Severity & Metrics

8.7 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
authlib joserfc < 1.6.8
Weakness (CWE)
CWESourceDescription
CWE-1391 cna CWE-1391: Use of Weak Credentials
CWE-287 cna CWE-287: Improper Authentication
CWE-326 cna CWE-326: Inadequate Encryption Strength
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References (3)
Back to overview