CVE-2026-27962 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: March 17, 2026
Authlib - Authentication Bypass
Overview
Authlib < 1.6.9 contains a JWK Header Injection caused by using the cryptographic key from attacker-controlled JWT jwk header when key=None is passed in JWS deserialization, letting unauthenticated attackers forge arbitrary JWT tokens that pass signature verification, exploit requires key=None parameter usage.
Severity & Score
Impact
Unauthenticated attackers can forge valid JWT tokens, bypassing authentication and authorization completely.
Mitigation
Update to version 1.6.9 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-27962 - Critical (9.1) Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass sign... š https://www.thehackerwire.com/vulnerability/CVE-2026-27962/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš“ CVE-2026-27962 - Critical (9.1) Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass sign... š https://www.thehackerwire.com/vulnerability/CVE-2026-27962/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-27962
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- jwk_header_injection
- Status
- confirmed
- EPSS
- 6.4%
- Social Posts
- 2
CWE
- CWE-347
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N