CVE-2026-28490
Padding Oracle Vulnerability in Authlib's JWE RSA1_5 Implementation
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| authlib | authlib | to 1.6.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28490 is a cryptographic padding oracle vulnerability in the Authlib Python library versions up to 1.6.8, related to its implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm.
Authlib registers the RSA1_5 algorithm by default without requiring explicit opt-in and disables the constant-time Bleichenbacher mitigation implemented by the underlying cryptography library. Specifically, Authlib performs a length check on the decrypted Content Encryption Key (CEK) and raises a distinct exception if the length is invalid, which leaks information about padding validity.
This behavior creates a reliable exception oracle with two distinguishable error responses: one for invalid padding and another for valid padding but wrong MAC. Attackers can exploit these differences to perform a Bleichenbacher padding oracle attack, allowing them to recover the CEK and decrypt or forge JWE tokens without the private key.
How can this vulnerability impact me? :
This vulnerability allows an attacker to exploit the padding oracle to recover the Content Encryption Key (CEK) used in JWE tokens.
With the recovered CEK, the attacker can decrypt intercepted encrypted JWE payloads, potentially exposing sensitive information.
Additionally, the attacker can forge valid JWE tokens without possessing the private RSA key, which can lead to unauthorized access or privilege escalation in systems using Authlib for OAuth or OpenID Connect.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing distinguishable error responses from an Authlib-powered endpoint that accepts JWE tokens using the RSA1_5 key management algorithm. Specifically, the presence of two different exceptionsβ`ValueError(\'Invalid "cek" length\')` on invalid padding and `InvalidTag` on valid padding but wrong MACβindicates the vulnerability.'}, {'type': 'paragraph', 'content': 'To detect it on your system, you can test the endpoint by submitting crafted JWE tokens with manipulated encrypted keys and observe the error responses or logs for these distinct exceptions.'}, {'type': 'paragraph', 'content': 'Since the vulnerability manifests as distinguishable exceptions in default configurations of common Python web frameworks (Flask, Django, FastAPI), monitoring HTTP 500 responses and server logs for these specific error messages or stack traces can help identify the issue.'}, {'type': 'paragraph', 'content': "No specific command-line tools or commands are provided in the resources, but a practical approach involves sending test JWE tokens with invalid padding and analyzing the server's error responses or logs for the two distinct exceptions."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include removing the RSA1_5 algorithm from Authlib's default JWE algorithm registry and requiring explicit opt-in with security warnings for legacy support."}, {'type': 'paragraph', 'content': 'Updating Authlib to version 1.6.9 or later, where the vulnerability is patched, is strongly recommended.'}, {'type': 'paragraph', 'content': 'The patch modifies the `unwrap` method to suppress distinguishable exceptions on padding failure by returning a random Content Encryption Key (CEK) of the correct length instead of raising an exception, thus restoring constant-time behavior and eliminating the padding oracle.'}, {'type': 'paragraph', 'content': 'Additionally, ensure that your application does not expose detailed exception messages or stack traces in production environments, as these can leak information useful for exploiting the vulnerability.'}] [1, 2]