CVE-2026-28490

CVE Database · CVE-2026-28490

CVE-2026-28490

· MEDIUMAnalyzed

CVSS v3.1

6.5

CVSS v4.0

8.3

EPSS

0.14%

Published

Mar 16, 2026

Modified

Mar 17, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Weaknesses (CWE)

CWE-203CWE-327

Affected Products (1)

authlib · authlib (up to 1.6.9)vulnerable

References (3)

https://github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22

Patch

https://github.com/authlib/authlib/releases/tag/v1.6.9

ProductRelease Notes

https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78

ExploitMitigationVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs