Authlib JWS JWK Header Injection Unauth JWT Forgery, fixed 1.6.9
CVE-2026-27962 Published on March 16, 2026

Authlib JWS JWK Header Injection: Signature Verification Bypass
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

Github Repository NVD

Vulnerability Analysis

CVE-2026-27962 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

Improper Verification of Cryptographic Signature

The software does not verify, or incorrectly verifies, the cryptographic signature for data.


Products Associated with CVE-2026-27962

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 

Affected Versions

authlib: Red Hat Quay 3.10: Red Hat Quay 3.14: Red Hat Quay 3.15: Red Hat Quay 3.16: Red Hat Lightspeed Core: Red Hat Ansible Automation Platform 2: Red Hat OpenShift AI (RHOAI): Red Hat Satellite 6:

Vulnerable Packages

The following package name and versions may be associated with CVE-2026-27962

Package Manager Vulnerable Package Versions Fixed In
pip authlib <= 1.6.8 1.6.9

Exploit Probability

EPSS
0.41%
Percentile
32.55%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.