CVE-2026-34531
Modified Modified - Updated After Analysis

Authentication Bypass in Flask-HTTPAuth via Empty Token Handling

Vulnerability report for CVE-2026-34531, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-01

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-01
Last Modified
2026-05-28
Generated
2026-07-06
AI Q&A
2026-04-02
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
miguelgrinberg flask-httpauth to 4.8.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Flask-HTTPAuth versions prior to 4.8.1. When a client requests a token-protected resource without providing a token or provides an empty token, the library calls the application's token verification function with an empty string as the token.

If the application has any users whose token is set to an empty string, the client could be authenticated as one of those users without providing a valid token.

This could allow unauthorized access to protected resources.

Impact Analysis

This vulnerability can lead to unauthorized access to protected resources in an application using Flask-HTTPAuth for token authentication.

Specifically, if any user in the system has an empty string as their token, an attacker can gain access by sending a request with no token or an empty token.

This could result in information disclosure or unauthorized actions performed under the identity of those users.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Flask-HTTPAuth to version 4.8.1 or later, where the issue has been patched.

Compliance Impact

This vulnerability in Flask-HTTPAuth could allow unauthorized authentication if an application has users with empty string tokens, potentially leading to unauthorized access to protected resources.

Such unauthorized access could result in exposure or misuse of sensitive personal or health information, which may violate compliance requirements under standards like GDPR or HIPAA that mandate strict access controls and protection of user data.

Therefore, applications affected by this vulnerability might face increased risk of non-compliance with these regulations until they apply the patch in version 4.8.1.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34531. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart