CVE-2026-28490

CVE-2026-28490

A flaw was found in Authlib, a Python library for building OAuth and OpenID Connect servers. This cryptographic padding oracle vulnerability, affecting the JSON Web Encryption (JWE) RSA1_5 key management algorithm, could allow a remote attacker to decrypt sensitive information. The vulnerability arises because Authlib registers RSA1_5 without requiring explicit opt-in and bypasses constant-time Bleichenbacher mitigations in the underlying cryptography library.

CVE-2026-28490

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.

CVE-2026-28490

Authlib is a Python library which builds OAuth and OpenID Connect serv ...

GHSA-7432-952r-cw78

Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle