External risk intelligence

Authlib JWK Header Injection Allows JWT Forgery

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-27962

Authlib is a library used to build OAuth and OpenID Connect servers. These services are by design public-facing, internet-accessible endpoints responsible for handling authentication and identity for applications, making them a primary and necessary component of internet-facing infrastructure.

Deserialization

Authlib

before 1.6.9

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in Authlib, a Python library used for building authentication and authorization servers. The issue could allow an attacker to forge security tokens, potentially bypassing authentication and authorization checks. The main concern is confirming if this library is in use and, if so, assessing the potential exposure.

  • Forging security tokens bypasses authentication.
  • Affects core authentication and authorization services.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can forge arbitrary JWT tokens by exploiting a weakness in Authlib's JWS implementation. This allows them to bypass authentication and authorization mechanisms by creating tokens that appear to be cryptographically valid. The vulnerability is triggered when the library incorrectly uses a key embedded within a specially crafted JWT header.

  • No authentication required.
  • Forged JWT header injection.
  • Bypasses authentication and authorization.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to forge arbitrary JWT tokens, bypassing signature verification. When a server is configured to accept tokens with a null key for deserialization, an attacker can create a malicious token signed with their own key and embed their public key within the token's JWK header. This allows the server to accept the forged token as valid, potentially leading to unauthorized access.

  • Server authentication tokens at risk.
  • Forged tokens could bypass security checks.
  • Unauthorized access to services may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for managing authentication and authorization services, as well as application owners leveraging the Authlib library, must take immediate action. The first step is to locate all instances of the affected library, confirm exposure to external networks, and identify business-critical systems that rely on it. Subsequently, a risk-based remediation plan should be developed, prioritizing systems with the highest exposure and impact.

  • Application and platform teams own the issue.
  • Verify external reachability and criticality first.
  • Plan remediation based on identified risks.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Authlib and why do developers use it?

Authlib is a Python library that provides the core functionality needed to build OAuth and OpenID Connect servers. It is commonly used by developers to handle identity management, user authentication, and authorization flows within their applications, allowing their systems to securely exchange tokens and manage user access permissions.

How does the JWK Header Injection vulnerability in CVE-2026-27962 work?

This flaw belongs to the Improper Verification of Cryptographic Signature weakness class. When the library is instructed to deserialize a token without a pre-defined key, it mistakenly trusts a public key provided by the user within the token's own header. Because the library uses this attacker-controlled key to verify the signature, an attacker can generate a custom token and sign it with their own private key, tricking the server into accepting it as authentic.

Do I need a valid account to trigger this CVE-2026-27962 issue?

No. This vulnerability does not require any prior authentication or special permissions. It is triggered by the library's flawed handling of incoming JWS deserialization requests. It is important to note that this specific bug only manifests when the application code passes a 'null' key to the library's deserialization functions; if your specific implementation always requires a secure, pre-defined server key, the vulnerability may not be reachable.

Why does Halo Surface Signal categorize this vulnerability as external?

Halo Surface Signal labels this as external because Authlib is primarily used to build authentication endpoints. These endpoints must be reachable by users across the internet to perform their function, which naturally places them on the public-facing edge of your infrastructure. This increases the likelihood that these services can be accessed and targeted by remote, unauthenticated entities.

What are the first steps to address this Authlib vulnerability?

Start by identifying every application in your environment that includes Authlib as a dependency. Once you have a list of affected systems, prioritize checking those that are internet-facing or handle sensitive authentication traffic. Coordinate with your application teams to update the library to version 1.6.9 or newer, which contains the fix for this issue, and verify that your internal code does not pass null keys to JWS deserialization functions.

References