{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27962", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.792Z", "datePublished": "2026-03-16T17:34:38.946Z", "dateUpdated": "2026-03-16T19:12:22.244Z"}, "containers": {"cna": {"title": "Authlib JWS JWK Header Injection: Signature Verification Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5"}, {"name": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681", "tags": ["x_refsource_MISC"], "url": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681"}, {"name": "https://github.com/authlib/authlib/releases/tag/v1.6.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/authlib/authlib/releases/tag/v1.6.9"}], "affected": [{"vendor": "authlib", "product": "authlib", "versions": [{"version": "< 1.6.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-16T17:34:38.946Z"}, "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid \u2014 bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9."}], "source": {"advisory": "GHSA-wvwj-cvrp-7pv5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T19:11:52.468001Z", "id": "CVE-2026-27962", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:12:22.244Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27962", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T19:11:52.468001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:11:55.751Z"}}], "cna": {"title": "Authlib JWS JWK Header Injection: Signature Verification Bypass", "source": {"advisory": "GHSA-wvwj-cvrp-7pv5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "authlib", "product": "authlib", "versions": [{"status": "affected", "version": "< 1.6.9"}]}], "references": [{"url": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5", "name": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681", "name": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/authlib/authlib/releases/tag/v1.6.9", "name": "https://github.com/authlib/authlib/releases/tag/v1.6.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid \u2014 bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-16T17:34:38.946Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27962", "state": "PUBLISHED", "dateUpdated": "2026-03-16T19:12:22.244Z", "dateReserved": "2026-02-25T03:24:57.792Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-16T17:34:38.946Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid \u2014 bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9."}], "id": "CVE-2026-27962", "lastModified": "2026-03-16T18:16:07.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-16T18:16:07.383", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681"}, {"source": "security-advisories@github.com", "url": "https://github.com/authlib/authlib/releases/tag/v1.6.9"}, {"source": "security-advisories@github.com", "url": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}