{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/authlib/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["joserfc \u003c= 1.6.7"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","jwt","python","vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["Authlib"],"content_html":"\u003cp\u003eA significant vulnerability, CVE-2026-49852, has been identified in the \u003ccode\u003ejoserfc\u003c/code\u003e Python library (versions \u003ccode\u003e\u0026lt;= 1.6.7\u003c/code\u003e), allowing for complete authentication bypass. This flaw, a cross-language sibling of CVE-2026-45363 affecting \u003ccode\u003eruby-jwt\u003c/code\u003e, enables an unauthenticated attacker to forge valid HMAC-signed JSON Web Tokens (HS256, HS384, HS512) without any secret knowledge. The vulnerability arises when an application using \u003ccode\u003ejoserfc.jwt.decode\u003c/code\u003e inadvertently supplies an empty string or \u003ccode\u003eNone\u003c/code\u003e as the HMAC verification key. This misconfiguration commonly occurs when keys are sourced from unset environment variables, missing database entries, or fallbacks that return empty values. Although \u003ccode\u003ejoserfc\u003c/code\u003e issues a \u003ccode\u003eSecurityWarning\u003c/code\u003e for short keys, it does not reject zero-length keys, leading to successful verification of attacker-crafted tokens and unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Misconfiguration\u003c/strong\u003e: A Python application using \u003ccode\u003ejoserfc\u003c/code\u003e is configured such that its JWT HMAC verification key resolves to an empty string (\u003ccode\u003e\u0026quot;\u0026quot;\u003c/code\u003e) or \u003ccode\u003eNone\u003c/code\u003e (e.g., \u003ccode\u003eos.environ.get(\u0026quot;JWT_SECRET\u0026quot;, \u0026quot;\u0026quot;)\u003c/code\u003e if \u003ccode\u003eJWT_SECRET\u003c/code\u003e is unset).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Crafts Claims\u003c/strong\u003e: The attacker creates a JSON payload with arbitrary claims (e.g., \u003ccode\u003e{\u0026quot;sub\u0026quot;: \u0026quot;attacker\u0026quot;, \u0026quot;admin\u0026quot;: True}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Prepares JWT\u003c/strong\u003e: The attacker constructs the JWT header (\u003ccode\u003e{\u0026quot;alg\u0026quot;: \u0026quot;HS256\u0026quot;, \u0026quot;typ\u0026quot;: \u0026quot;JWT\u0026quot;}\u003c/code\u003e) and the crafted payload, then Base64Url-encodes them to form the \u003ccode\u003esigning_input\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Signs with Empty Key\u003c/strong\u003e: The attacker generates an HMAC signature by hashing the \u003ccode\u003esigning_input\u003c/code\u003e using an empty key (\u003ccode\u003ehmac.new(b\u0026quot;\u0026quot;, signing_input, hashlib.sha256).digest()\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Submits Forged Token\u003c/strong\u003e: The attacker concatenates the header, payload, and the empty-key signature into a full JWT and submits it to the vulnerable application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Attempts Verification\u003c/strong\u003e: The application receives the forged JWT and attempts to verify it using \u003ccode\u003ejoserfc.jwt.decode\u003c/code\u003e, which retrieves the misconfigured empty key.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Verification\u003c/strong\u003e: \u003ccode\u003ejoserfc\u003c/code\u003e's \u003ccode\u003eHMACAlgorithm.verify\u003c/code\u003e uses the empty key to re-compute the HMAC digest, which matches the attacker's empty-key signature.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access\u003c/strong\u003e: The \u003ccode\u003ejoserfc\u003c/code\u003e library successfully decodes the forged token, allowing the application to grant the attacker unauthorized access with the arbitrary claims, such as elevated administrative privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability in \u003ccode\u003ejoserfc\u003c/code\u003e allows for a complete authentication bypass, enabling unauthenticated attackers to forge arbitrary claims, including user roles, scopes, and expiration times. This directly leads to unauthorized access to protected resources and potential privilege escalation on any service utilizing the \u003ccode\u003ejoserfc\u003c/code\u003e library with a misconfigured empty HMAC key. While the precondition for exploitation requires an operator misconfiguration (e.g., an unset environment variable), the silence of the misconfiguration (only a \u003ccode\u003eSecurityWarning\u003c/code\u003e is emitted, not an error) makes it a critical threat. The vulnerability has a CVSS 3.1 score of 7.4 (High), indicating significant confidentiality and integrity impact due to the authentication bypass.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-49852\u003c/strong\u003e: Urgently update the \u003ccode\u003ejoserfc\u003c/code\u003e library to a patched version once available. Monitor the \u003ccode\u003eAuthlib\u003c/code\u003e GitHub repository and PyPI for the release.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Secret Management\u003c/strong\u003e: Implement strict controls to ensure that JWT secrets are never empty strings or \u003ccode\u003eNone\u003c/code\u003e when retrieved from environment variables, configuration files, or key finders. Ensure that \u003ccode\u003eOctKey.import_key\u003c/code\u003e always receives a non-empty, sufficiently long secret.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Key Length Validation\u003c/strong\u003e: Manually implement a check for key length (e.g., \u003ccode\u003eif not key or len(key) \u0026lt; 14: raise ValueError(\u0026quot;HMAC key invalid\u0026quot;)\u003c/code\u003e) before passing it to \u003ccode\u003ejoserfc.jwt.decode\u003c/code\u003e if an immediate upgrade is not possible.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInventory \u003ccode\u003ejoserfc\u003c/code\u003e Usage\u003c/strong\u003e: Scan your codebase for all instances of \u003ccode\u003ejoserfc.jwt.decode\u003c/code\u003e and the versions of the \u003ccode\u003ejoserfc\u003c/code\u003e package (\u003ccode\u003epip/joserfc\u003c/code\u003e) deployed in your environment, particularly those running versions \u003ccode\u003e\u0026lt;= 1.6.7\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:46:24Z","date_published":"2026-07-03T11:46:24Z","id":"https://feed.craftedsignal.io/briefs/2026-07-joserfc-empty-key-jwt/","summary":"A critical vulnerability, CVE-2026-49852, exists in the Python `joserfc` library (versions `\u003c= 1.6.7`) where HMAC-signed JSON Web Tokens can be forged, leading to complete authentication bypass, if the application is configured to verify tokens with an empty or `None` HMAC key.","title":"joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (CVE-2026-49852)","url":"https://feed.craftedsignal.io/briefs/2026-07-joserfc-empty-key-jwt/"}],"language":"en","title":"CraftedSignal Threat Feed - Authlib","version":"https://jsonfeed.org/version/1.1"}