CVE-2026-28498 Overview
CVE-2026-28498 is an authentication bypass vulnerability discovered in Authlib, a Python library used for building OAuth and OpenID Connect (OIDC) servers. The vulnerability exists in the internal hash verification logic (_verify_hash) responsible for validating at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims in OIDC ID Tokens. When the library encounters an unsupported or unknown cryptographic algorithm, it exhibits fail-open behavior, silently returning True (validation passed) instead of properly rejecting the token. This allows attackers to bypass mandatory integrity protections by supplying forged ID Tokens with deliberately unrecognized alg header parameters.
Critical Impact
Attackers can forge OIDC ID Tokens and bypass authentication controls by exploiting the fail-open hash verification behavior, potentially gaining unauthorized access to protected resources and user accounts.
Affected Products
- Authlib versions prior to 1.6.9
- Applications implementing OIDC authentication using vulnerable Authlib versions
- OAuth/OIDC servers built with the affected Authlib library
Discovery Timeline
- 2026-03-16 - CVE CVE-2026-28498 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-28498
Vulnerability Analysis
The vulnerability resides in the _verify_hash function within authlib/oidc/core/claims.py. This function is responsible for validating the at_hash and c_hash claims in OIDC ID Tokens, which are critical security mechanisms that bind access tokens and authorization codes to their respective ID Tokens. The implementation incorrectly handles cases where the create_half_hash function returns a falsy value (indicating an unsupported algorithm), causing the verification to pass unconditionally instead of failing securely.
This fail-open design fundamentally violates cryptographic best practices and OIDC specifications, which mandate that unknown or unsupported algorithms must result in verification failure. The vulnerability allows attackers to craft malicious ID Tokens with arbitrary alg header values that the library cannot process, effectively bypassing all hash-based integrity checks.
Root Cause
The root cause is improper integrity check validation (CWE-354) in the hash verification logic. The original code checked if hash_value was falsy using a simple if not hash_value: condition and returned True when this condition was met. Since create_half_hash returns None for unsupported algorithms, the verification incorrectly passed. The fix changes the condition to explicitly check for None and return False in such cases, implementing proper fail-close behavior.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious OIDC ID Token with the following characteristics:
- Set the alg header parameter to an unsupported or unknown algorithm value
- Include arbitrary or forged at_hash and/or c_hash claims
- Present this token to an application using a vulnerable Authlib version
The library will fail to compute the expected hash value due to the unrecognized algorithm, but instead of rejecting the token, it will accept it as valid. This enables authentication bypass and potential account takeover scenarios through network-based attacks requiring no user interaction, though exploitation requires specific conditions to be met.
def _verify_hash(signature, s, alg):
hash_value = create_half_hash(s, alg)
- if not hash_value:
- return True
+ if hash_value is None:
+ return False
return hmac.compare_digest(hash_value, to_bytes(signature))
Source: GitHub Commit Details
Detection Methods for CVE-2026-28498
Indicators of Compromise
- OIDC ID Tokens with unusual or non-standard alg header values (e.g., custom strings, deprecated algorithms, or random values)
- Authentication events where token validation succeeds despite mismatched at_hash or c_hash values
- Unexpected authentication successes from untrusted identity providers or suspicious token issuers
Detection Strategies
- Implement application-level logging to capture all alg header values in received OIDC tokens and alert on non-standard values
- Monitor authentication audit logs for successful authentications that correlate with suspicious token characteristics
- Deploy web application firewall rules to inspect and flag OIDC tokens with uncommon algorithm specifications
Monitoring Recommendations
- Enable verbose logging in Authlib to capture token validation decisions and algorithm processing
- Implement real-time alerting for authentication anomalies, particularly successful authentications following failed cryptographic operations
- Conduct periodic security audits of OIDC implementation configurations and token validation behaviors
How to Mitigate CVE-2026-28498
Immediate Actions Required
- Upgrade Authlib to version 1.6.9 or later immediately
- Review authentication logs for evidence of exploitation using forged tokens with non-standard algorithm headers
- Audit all applications and services using Authlib for OIDC authentication and prioritize patching
- Consider implementing additional token validation at the application layer as defense-in-depth
Patch Information
The vulnerability has been patched in Authlib version 1.6.9. The fix modifies the _verify_hash function to properly implement fail-close behavior by returning False when create_half_hash returns None for unsupported algorithms. Users should upgrade using pip:
pip install --upgrade authlib>=1.6.9
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-m344-f55w-2m6j and the release notes for version 1.6.9.
Workarounds
- Implement an allowlist of supported algorithms at the application layer before tokens reach Authlib validation
- Add pre-validation checks to reject tokens with unrecognized alg header values
- Deploy network-level controls to restrict token sources to trusted identity providers only
# Configuration example
# Verify current Authlib version and upgrade if vulnerable
pip show authlib | grep Version
pip install --upgrade "authlib>=1.6.9"
# Verify the upgrade was successful
python -c "import authlib; print(authlib.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
