CVE-2026-28490
Received Received - Intake
Padding Oracle Vulnerability in Authlib's JWE RSA1_5 Implementation

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28490
EUVD
EUVD-2026-12480
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
authlib authlib to 1.6.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28490 is a cryptographic padding oracle vulnerability in the Authlib Python library versions up to 1.6.8, related to its implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm.

Authlib registers the RSA1_5 algorithm by default without requiring explicit opt-in and disables the constant-time Bleichenbacher mitigation implemented by the underlying cryptography library. Specifically, Authlib performs a length check on the decrypted Content Encryption Key (CEK) and raises a distinct exception if the length is invalid, which leaks information about padding validity.

This behavior creates a reliable exception oracle with two distinguishable error responses: one for invalid padding and another for valid padding but wrong MAC. Attackers can exploit these differences to perform a Bleichenbacher padding oracle attack, allowing them to recover the CEK and decrypt or forge JWE tokens without the private key.

Impact Analysis

This vulnerability allows an attacker to exploit the padding oracle to recover the Content Encryption Key (CEK) used in JWE tokens.

With the recovered CEK, the attacker can decrypt intercepted encrypted JWE payloads, potentially exposing sensitive information.

Additionally, the attacker can forge valid JWE tokens without possessing the private RSA key, which can lead to unauthorized access or privilege escalation in systems using Authlib for OAuth or OpenID Connect.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing distinguishable error responses from an Authlib-powered endpoint that accepts JWE tokens using the RSA1_5 key management algorithm. Specifically, the presence of two different exceptionsβ€”`ValueError(\'Invalid "cek" length\')` on invalid padding and `InvalidTag` on valid padding but wrong MACβ€”indicates the vulnerability.'}, {'type': 'paragraph', 'content': 'To detect it on your system, you can test the endpoint by submitting crafted JWE tokens with manipulated encrypted keys and observe the error responses or logs for these distinct exceptions.'}, {'type': 'paragraph', 'content': 'Since the vulnerability manifests as distinguishable exceptions in default configurations of common Python web frameworks (Flask, Django, FastAPI), monitoring HTTP 500 responses and server logs for these specific error messages or stack traces can help identify the issue.'}, {'type': 'paragraph', 'content': "No specific command-line tools or commands are provided in the resources, but a practical approach involves sending test JWE tokens with invalid padding and analyzing the server's error responses or logs for the two distinct exceptions."}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include removing the RSA1_5 algorithm from Authlib's default JWE algorithm registry and requiring explicit opt-in with security warnings for legacy support."}, {'type': 'paragraph', 'content': 'Updating Authlib to version 1.6.9 or later, where the vulnerability is patched, is strongly recommended.'}, {'type': 'paragraph', 'content': 'The patch modifies the `unwrap` method to suppress distinguishable exceptions on padding failure by returning a random Content Encryption Key (CEK) of the correct length instead of raising an exception, thus restoring constant-time behavior and eliminating the padding oracle.'}, {'type': 'paragraph', 'content': 'Additionally, ensure that your application does not expose detailed exception messages or stack traces in production environments, as these can leak information useful for exploiting the vulnerability.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart