Product
A critical vulnerability, CVE-2026-49852, exists in the Python `joserfc` library (versions `<= 1.6.7`) where HMAC-signed JSON Web Tokens can be forged, leading to complete authentication bypass, if the application is configured to verify tokens with an empty or `None` HMAC key.