DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28490: CVE-2026-28490: Bleichenbacher Padding Oracle in Authlib RSA1_5 JWE Implementation

#security #cve #cybersecurity

CVE-2026-28490: Bleichenbacher Padding Oracle in Authlib RSA1_5 JWE Implementation

Vulnerability ID: CVE-2026-28490
CVSS Score: 8.3
Published: 2026-03-16

Authlib versions prior to 1.6.9 contain a cryptographic padding oracle vulnerability in the JSON Web Encryption (JWE) RSA1_5 implementation. By mishandling the length check of decrypted Content Encryption Keys (CEK), the library exposes an exception oracle that allows unauthenticated remote attackers to decrypt intercepted JWE tokens via a Bleichenbacher attack.

TL;DR

A padding oracle vulnerability in Authlib's JWE RSA1_5 implementation allows remote attackers to decrypt intercepted JWE tokens. The issue stems from improper length validation of the decrypted CEK, which bypasses underlying cryptographic mitigations. Version 1.6.9 fixes the issue by disabling RSA1_5 by default.

Technical Details

  • CWE ID: CWE-203, CWE-327
  • Attack Vector: Network
  • CVSS Base Score: 8.3
  • Authentication Required: None
  • Exploit Status: Theoretical / No public PoC
  • Confidentiality Impact: High

Affected Systems

  • Authlib Python Library
  • Python Web Applications utilizing Authlib for OAuth/OIDC JWE processing
  • authlib: < 1.6.9 (Fixed in: 1.6.9)

Code Analysis

Commit: 48b345f

Fix for RSA1_5 Bleichenbacher padding oracle by disabling algorithm by default

Mitigation Strategies

  • Upgrade Authlib library to version 1.6.9 or greater.
  • Migrate cryptographic configurations from RSA1_5 to RSA-OAEP or ECDH-ES.
  • Implement aggressive rate limiting on authentication and token validation endpoints to hinder the high request volume required for padding oracle attacks.

Remediation Steps:

  1. Identify all microservices and applications within the infrastructure utilizing the Authlib dependency.
  2. Execute pip install --upgrade authlib>=1.6.9 in the respective virtual environments or build pipelines.
  3. Review Authlib initialization code to ensure RSA1_5 is not explicitly passed to the algorithms whitelist parameter unless strictly required.
  4. Verify that client applications generating JWE tokens are configured to use modern key wrapping algorithms (e.g., RSA-OAEP-256).

References

Read the full report for CVE-2026-28490 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)