CVE-2026-27962

high Red Hat
CVSS v3 Base Score
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
High
Availability
None
Published: March 16, 2026 (59 days ago)
Last Modified: March 16, 2026
Vendor: Red Hat
Source: REDHAT

Description

A flaw was found in Authlib, a Python library used for creating secure authentication and authorization systems. This vulnerability, known as JWK (JSON Web Key) Header Injection, affects how Authlib verifies digital signatures in JWS (JSON Web Signature) tokens. An attacker can exploit this by creating a specially crafted token that includes their own cryptographic key in the header. When the system attempts to verify this token without a predefined key, it mistakenly uses the attacker's key, allowing them to bypass authentication and gain unauthorized access.

CWE

CWE-347

Affected Products

Lightspeed CoreRed Hat Ansible Automation Platform 2Red Hat OpenShift AI (RHOAI)Red Hat Quay 3Red Hat Satellite 6

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com