<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Authlib - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/authlib/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:46:24 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/authlib/feed.xml" rel="self" type="application/rss+xml"/><item><title>joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (CVE-2026-49852)</title><link>https://feed.craftedsignal.io/briefs/2026-07-joserfc-empty-key-jwt/</link><pubDate>Fri, 03 Jul 2026 11:46:24 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-joserfc-empty-key-jwt/</guid><description>A critical vulnerability, CVE-2026-49852, exists in the Python `joserfc` library (versions `&lt;= 1.6.7`) where HMAC-signed JSON Web Tokens can be forged, leading to complete authentication bypass, if the application is configured to verify tokens with an empty or `None` HMAC key.</description><content:encoded><![CDATA[<p>A significant vulnerability, CVE-2026-49852, has been identified in the <code>joserfc</code> Python library (versions <code>&lt;= 1.6.7</code>), allowing for complete authentication bypass. This flaw, a cross-language sibling of CVE-2026-45363 affecting <code>ruby-jwt</code>, enables an unauthenticated attacker to forge valid HMAC-signed JSON Web Tokens (HS256, HS384, HS512) without any secret knowledge. The vulnerability arises when an application using <code>joserfc.jwt.decode</code> inadvertently supplies an empty string or <code>None</code> as the HMAC verification key. This misconfiguration commonly occurs when keys are sourced from unset environment variables, missing database entries, or fallbacks that return empty values. Although <code>joserfc</code> issues a <code>SecurityWarning</code> for short keys, it does not reject zero-length keys, leading to successful verification of attacker-crafted tokens and unauthorized access.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Application Misconfiguration</strong>: A Python application using <code>joserfc</code> is configured such that its JWT HMAC verification key resolves to an empty string (<code>&quot;&quot;</code>) or <code>None</code> (e.g., <code>os.environ.get(&quot;JWT_SECRET&quot;, &quot;&quot;)</code> if <code>JWT_SECRET</code> is unset).</li>
<li><strong>Attacker Crafts Claims</strong>: The attacker creates a JSON payload with arbitrary claims (e.g., <code>{&quot;sub&quot;: &quot;attacker&quot;, &quot;admin&quot;: True}</code>).</li>
<li><strong>Attacker Prepares JWT</strong>: The attacker constructs the JWT header (<code>{&quot;alg&quot;: &quot;HS256&quot;, &quot;typ&quot;: &quot;JWT&quot;}</code>) and the crafted payload, then Base64Url-encodes them to form the <code>signing_input</code>.</li>
<li><strong>Attacker Signs with Empty Key</strong>: The attacker generates an HMAC signature by hashing the <code>signing_input</code> using an empty key (<code>hmac.new(b&quot;&quot;, signing_input, hashlib.sha256).digest()</code>).</li>
<li><strong>Attacker Submits Forged Token</strong>: The attacker concatenates the header, payload, and the empty-key signature into a full JWT and submits it to the vulnerable application.</li>
<li><strong>Application Attempts Verification</strong>: The application receives the forged JWT and attempts to verify it using <code>joserfc.jwt.decode</code>, which retrieves the misconfigured empty key.</li>
<li><strong>Vulnerable Verification</strong>: <code>joserfc</code>'s <code>HMACAlgorithm.verify</code> uses the empty key to re-compute the HMAC digest, which matches the attacker's empty-key signature.</li>
<li><strong>Unauthorized Access</strong>: The <code>joserfc</code> library successfully decodes the forged token, allowing the application to grant the attacker unauthorized access with the arbitrary claims, such as elevated administrative privileges.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability in <code>joserfc</code> allows for a complete authentication bypass, enabling unauthenticated attackers to forge arbitrary claims, including user roles, scopes, and expiration times. This directly leads to unauthorized access to protected resources and potential privilege escalation on any service utilizing the <code>joserfc</code> library with a misconfigured empty HMAC key. While the precondition for exploitation requires an operator misconfiguration (e.g., an unset environment variable), the silence of the misconfiguration (only a <code>SecurityWarning</code> is emitted, not an error) makes it a critical threat. The vulnerability has a CVSS 3.1 score of 7.4 (High), indicating significant confidentiality and integrity impact due to the authentication bypass.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-49852</strong>: Urgently update the <code>joserfc</code> library to a patched version once available. Monitor the <code>Authlib</code> GitHub repository and PyPI for the release.</li>
<li><strong>Review Secret Management</strong>: Implement strict controls to ensure that JWT secrets are never empty strings or <code>None</code> when retrieved from environment variables, configuration files, or key finders. Ensure that <code>OctKey.import_key</code> always receives a non-empty, sufficiently long secret.</li>
<li><strong>Implement Key Length Validation</strong>: Manually implement a check for key length (e.g., <code>if not key or len(key) &lt; 14: raise ValueError(&quot;HMAC key invalid&quot;)</code>) before passing it to <code>joserfc.jwt.decode</code> if an immediate upgrade is not possible.</li>
<li><strong>Inventory <code>joserfc</code> Usage</strong>: Scan your codebase for all instances of <code>joserfc.jwt.decode</code> and the versions of the <code>joserfc</code> package (<code>pip/joserfc</code>) deployed in your environment, particularly those running versions <code>&lt;= 1.6.7</code>.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authentication-bypass</category><category>jwt</category><category>python</category><category>vulnerability</category><category>cve</category></item></channel></rss>