Home / Vulnerability Intelligence / CVE-2026-28498

CVE-2026-28498 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: March 17, 2026

Authlib - Authentication Bypass

Published: March 16, 2026Updated: March 17, 2026PoC AvailableRemote Exploitable

Overview

Authlib Python library < 1.6.9 contains a broken authentication caused by fail-open hash verification logic for at_hash and c_hash claims in OpenID Connect ID Tokens, letting attackers bypass integrity checks by using unsupported alg values, exploit requires crafted forged ID Token.

Severity & Score

Severity: High

CVSS Score: 7.5

EPSS Score: 1.2%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass token integrity checks, potentially allowing unauthorized access or impersonation.

Mitigation

Upgrade to version 1.6.9 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 18, 2026

🟠 CVE-2026-28498 - High (7.5) Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specificall... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28498/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28498
Severity: High
CVSS Score: 7.5
Type: broken_authentication
Status: confirmed
EPSS: 1.2%
Social Posts: 1

CWE

CWE-354

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score

1.2%Probability of exploitation in the next 30 days