CVE-2026-28490 in Authlib
Summary
by MITRE • 03/16/2026
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-28490 represents a critical cryptographic flaw within the Authlib Python library that affects implementations of JSON Web Encryption using the RSA1_5 key management algorithm. This library serves as a foundational component for building OAuth and OpenID Connect servers, making its security implications particularly severe for authentication and authorization systems. The flaw specifically targets the RSA1_5 algorithm which is widely used for encrypting data in web applications, particularly in scenarios requiring secure token handling and identity verification processes. The vulnerability stems from the library's default registration of RSA1_5 in its algorithm registry without requiring explicit opt-in from developers, creating an unintended security exposure that affects systems using this encryption method.
The technical implementation flaw manifests through the improper handling of cryptographic padding validation during the JWE encryption process. When Authlib processes RSA1_5 encrypted data, it actively removes the constant-time mitigation that the underlying cryptography library correctly implements to prevent Bleichenbacher padding oracle attacks. This removal of security measures creates a timing-based vulnerability that allows attackers to exploit the cryptographic implementation through carefully crafted inputs that reveal information about the encryption keys or plaintext data. The vulnerability operates as a padding oracle because the library's response timing varies based on whether padding validation succeeds or fails, providing attackers with enough information to iteratively determine the encrypted content through mathematical analysis. This behavior directly violates the fundamental security principles outlined in the CWE-310 weakness classification which specifically addresses cryptographic issues related to padding and timing attacks.
The operational impact of this vulnerability extends far beyond simple data encryption concerns, affecting the core security infrastructure of applications that rely on Authlib for identity management and authentication services. Attackers exploiting this vulnerability could potentially decrypt sensitive tokens, access unauthorized user sessions, or manipulate authentication flows within systems using the affected library version. The default registration of RSA1_5 means that applications using Authlib without explicit algorithm configuration are automatically vulnerable, creating a widespread risk across systems that may not even be aware of the specific cryptographic algorithm being used. This vulnerability particularly affects web applications implementing OAuth2 or OpenID Connect protocols where token encryption is critical for maintaining user session integrity and preventing unauthorized access to protected resources. The attack surface is significantly broadened because the vulnerability exists in the library's default behavior rather than requiring specific configuration choices that developers might overlook.
Organizations using Authlib versions prior to 1.6.9 face substantial risk of cryptographic attacks that could compromise user authentication and authorization systems. The patch released in version 1.6.9 addresses this vulnerability by restoring proper constant-time cryptographic operations and preventing the removal of security mitigations that were previously being incorrectly disabled. Security practitioners should prioritize updating their Authlib installations to version 1.6.9 or later to eliminate this padding oracle vulnerability. Additional mitigation strategies include reviewing application configurations to ensure explicit algorithm selection rather than relying on defaults, implementing monitoring for unusual cryptographic operation patterns, and conducting security assessments of authentication flows that utilize the affected library. The vulnerability demonstrates the importance of cryptographic library security and the critical need for proper implementation of timing-safe operations in security-sensitive code. This issue aligns with ATT&CK technique T1552.001 which covers credentials from password storage, as compromised authentication tokens could lead to unauthorized access to user accounts and systems. The vulnerability also relates to the broader category of cryptographic weakness in software libraries, highlighting the need for comprehensive security testing of cryptographic implementations in widely-used Python packages.