Nixpkgs security tracker

Published

Permalink CVE-2026-41425

5.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 4 hours ago by @LeSuisse Activity log

Created automatic suggestion 2 days, 10 hours ago
@LeSuisse ignored
15 packages
- python312Packages.oauthlib
- python313Packages.oauthlib
- python314Packages.oauthlib
- python312Packages.hawkauthlib
- python313Packages.hawkauthlib
- python314Packages.hawkauthlib
- python312Packages.aiohttp-oauthlib
- python313Packages.aiohttp-oauthlib
- python314Packages.aiohttp-oauthlib
- python312Packages.requests-oauthlib
- python313Packages.requests-oauthlib
- python314Packages.requests-oauthlib
- python312Packages.google-auth-oauthlib
- python313Packages.google-auth-oauthlib
- python314Packages.google-auth-oauthlib
4 hours ago
@LeSuisse accepted 4 hours ago
@LeSuisse published on GitHub 4 hours ago

Authlib: Cross-site request forging when using cache

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

References

https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv x_refsource_CONFIRM

Affected products

authlib

==< 1.6.11

Matching in nixpkgs

pkgs.python312Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-25.11 1.6.9
- nixos-25.11-small 1.6.9
- nixpkgs-25.11-darwin 1.6.9

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9
nixos-25.11 1.6.9
- nixos-25.11-small 1.6.9
- nixpkgs-25.11-darwin 1.6.9

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

Ignored packages (15)

pkgs.python312Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4
nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

Package maintainers

@flokli Florian Klink <flokli@flokli.de>

Untriaged

Permalink CVE-2026-28490

created 1 month, 1 week ago

Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.

References

https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78 x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22 x_refsource_MISC
https://github.com/authlib/authlib/releases/tag/v1.6.9 x_refsource_MISC

Affected products

authlib

==< 1.6.9

Matching in nixpkgs

pkgs.python312Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-25.11 1.6.9
- nixos-25.11-small 1.6.9
- nixpkgs-25.11-darwin 1.6.9

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9
nixos-25.11 1.6.9
- nixos-25.11-small 1.6.9
- nixpkgs-25.11-darwin 1.6.9

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

pkgs.python312Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4
nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

Package maintainers

@sumnerevans Sumner Evans <me@sumnerevans.com>
@flokli Florian Klink <flokli@flokli.de>
@terlar Terje Larsen <terlar@gmail.com>
@prikhi Pavan Rikhi <pavan.rikhi@gmail.com>
@sarahec Sarah Clark <seclark@nextquestion.net>

Untriaged

Permalink CVE-2026-27962

9.1 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 month, 1 week ago

Authlib JWS JWK Header Injection: Signature Verification Bypass

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

References

https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5 x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681 x_refsource_MISC
https://github.com/authlib/authlib/releases/tag/v1.6.9 x_refsource_MISC

Affected products

authlib

==< 1.6.9

Matching in nixpkgs

pkgs.python312Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-25.11 1.6.9
- nixos-25.11-small 1.6.9
- nixpkgs-25.11-darwin 1.6.9

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9
nixos-25.11 1.6.9
- nixos-25.11-small 1.6.9
- nixpkgs-25.11-darwin 1.6.9

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

pkgs.python312Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4
nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

Package maintainers

@sumnerevans Sumner Evans <me@sumnerevans.com>
@flokli Florian Klink <flokli@flokli.de>
@terlar Terje Larsen <terlar@gmail.com>
@prikhi Pavan Rikhi <pavan.rikhi@gmail.com>
@sarahec Sarah Clark <seclark@nextquestion.net>

Untriaged

Permalink CVE-2026-28498

created 1 month, 1 week ago

Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.

References

https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b x_refsource_MISC
https://github.com/authlib/authlib/releases/tag/v1.6.9 x_refsource_MISC

Affected products

authlib

==< 1.6.9

Matching in nixpkgs

pkgs.python312Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-25.11 1.6.9
- nixos-25.11-small 1.6.9
- nixpkgs-25.11-darwin 1.6.9

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9
nixos-25.11 1.6.9
- nixos-25.11-small 1.6.9
- nixpkgs-25.11-darwin 1.6.9

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

pkgs.python312Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4
nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

Package maintainers

@sumnerevans Sumner Evans <me@sumnerevans.com>
@flokli Florian Klink <flokli@flokli.de>
@terlar Terje Larsen <terlar@gmail.com>
@prikhi Pavan Rikhi <pavan.rikhi@gmail.com>
@sarahec Sarah Clark <seclark@nextquestion.net>

Published

Permalink CVE-2026-28802

updated 1 month, 2 weeks ago by @mweinelt Activity log

Created automatic suggestion 1 month, 2 weeks ago
@mweinelt ignored
15 packages
- python314Packages.google-auth-oauthlib
- python313Packages.google-auth-oauthlib
- python312Packages.google-auth-oauthlib
- python314Packages.requests-oauthlib
- python313Packages.requests-oauthlib
- python312Packages.requests-oauthlib
- python314Packages.aiohttp-oauthlib
- python313Packages.aiohttp-oauthlib
- python312Packages.aiohttp-oauthlib
- python314Packages.hawkauthlib
- python313Packages.hawkauthlib
- python312Packages.hawkauthlib
- python314Packages.oauthlib
- python313Packages.oauthlib
- python312Packages.oauthlib
1 month, 2 weeks ago
@mweinelt accepted 1 month, 2 weeks ago
@mweinelt published on GitHub 1 month, 2 weeks ago

Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.

References

https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75 x_refsource_MISC
https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7 x_refsource_MISC

Affected products

authlib

==>= 1.6.5, < 1.6.7

Matching in nixpkgs

pkgs.python312Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-25.11 1.6.3
- nixos-25.11-small 1.6.3
- nixpkgs-25.11-darwin 1.6.3

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.6
- nixpkgs-unstable 1.6.6
- nixos-unstable-small 1.6.6
nixos-25.11 1.6.3
- nixos-25.11-small 1.6.3
- nixpkgs-25.11-darwin 1.6.3

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.6
- nixpkgs-unstable 1.6.6
- nixos-unstable-small 1.6.6

Ignored packages (15)

pkgs.python312Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1
nixos-25.11 3.3.1
- nixos-25.11-small 3.3.1
- nixpkgs-25.11-darwin 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 2.0.0
- nixos-25.11-small 2.0.0
- nixpkgs-25.11-darwin 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4
nixos-25.11 1.2.3
- nixos-25.11-small 1.2.3
- nixpkgs-25.11-darwin 1.2.3

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

Package maintainers

@flokli Florian Klink <flokli@flokli.de>

https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg
https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75
https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.authlib

pkgs.python313Packages.authlib

pkgs.python314Packages.authlib

pkgs.python312Packages.oauthlib

pkgs.python313Packages.oauthlib

pkgs.python314Packages.oauthlib

pkgs.python312Packages.hawkauthlib

pkgs.python313Packages.hawkauthlib

pkgs.python314Packages.hawkauthlib

pkgs.python312Packages.aiohttp-oauthlib

pkgs.python313Packages.aiohttp-oauthlib

pkgs.python314Packages.aiohttp-oauthlib

pkgs.python312Packages.requests-oauthlib

pkgs.python313Packages.requests-oauthlib

pkgs.python314Packages.requests-oauthlib

pkgs.python312Packages.google-auth-oauthlib

pkgs.python313Packages.google-auth-oauthlib

pkgs.python314Packages.google-auth-oauthlib

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.authlib

pkgs.python313Packages.authlib

pkgs.python314Packages.authlib

pkgs.python312Packages.oauthlib

pkgs.python313Packages.oauthlib

pkgs.python314Packages.oauthlib

pkgs.python312Packages.hawkauthlib

pkgs.python313Packages.hawkauthlib

pkgs.python314Packages.hawkauthlib

pkgs.python312Packages.aiohttp-oauthlib

pkgs.python313Packages.aiohttp-oauthlib

pkgs.python314Packages.aiohttp-oauthlib

pkgs.python312Packages.requests-oauthlib

pkgs.python313Packages.requests-oauthlib

pkgs.python314Packages.requests-oauthlib

pkgs.python312Packages.google-auth-oauthlib

pkgs.python313Packages.google-auth-oauthlib

pkgs.python314Packages.google-auth-oauthlib

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.authlib

pkgs.python313Packages.authlib

pkgs.python314Packages.authlib

pkgs.python312Packages.oauthlib

pkgs.python313Packages.oauthlib

pkgs.python314Packages.oauthlib

pkgs.python312Packages.hawkauthlib

pkgs.python313Packages.hawkauthlib

pkgs.python314Packages.hawkauthlib

pkgs.python312Packages.aiohttp-oauthlib

pkgs.python313Packages.aiohttp-oauthlib

pkgs.python314Packages.aiohttp-oauthlib

pkgs.python312Packages.requests-oauthlib

pkgs.python313Packages.requests-oauthlib

pkgs.python314Packages.requests-oauthlib

pkgs.python312Packages.google-auth-oauthlib

pkgs.python313Packages.google-auth-oauthlib

pkgs.python314Packages.google-auth-oauthlib

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.authlib

pkgs.python313Packages.authlib

pkgs.python314Packages.authlib

pkgs.python312Packages.oauthlib

pkgs.python313Packages.oauthlib

pkgs.python314Packages.oauthlib

pkgs.python312Packages.hawkauthlib

pkgs.python313Packages.hawkauthlib

pkgs.python314Packages.hawkauthlib

pkgs.python312Packages.aiohttp-oauthlib