CVE-2026-34531
Modified Modified - Updated After Analysis
Authentication Bypass in Flask-HTTPAuth via Empty Token Handling

Publication date: 2026-04-01

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34531
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
miguelgrinberg flask-httpauth to 4.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Flask-HTTPAuth versions prior to 4.8.1. When a client requests a token-protected resource without providing a token or provides an empty token, the library calls the application's token verification function with an empty string as the token.

If the application has any users whose token is set to an empty string, the client could be authenticated as one of those users without providing a valid token.

This could allow unauthorized access to protected resources.

Impact Analysis

This vulnerability can lead to unauthorized access to protected resources in an application using Flask-HTTPAuth for token authentication.

Specifically, if any user in the system has an empty string as their token, an attacker can gain access by sending a request with no token or an empty token.

This could result in information disclosure or unauthorized actions performed under the identity of those users.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Flask-HTTPAuth to version 4.8.1 or later, where the issue has been patched.

Compliance Impact

This vulnerability in Flask-HTTPAuth could allow unauthorized authentication if an application has users with empty string tokens, potentially leading to unauthorized access to protected resources.

Such unauthorized access could result in exposure or misuse of sensitive personal or health information, which may violate compliance requirements under standards like GDPR or HIPAA that mandate strict access controls and protection of user data.

Therefore, applications affected by this vulnerability might face increased risk of non-compliance with these regulations until they apply the patch in version 4.8.1.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34531. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart