CVE-2026-28490

medium Red Hat
CVSS v3 Base Score
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
None
Availability
None
Published: March 16, 2026 (59 days ago)
Last Modified: March 16, 2026
Vendor: Red Hat
Source: REDHAT

Description

A flaw was found in Authlib, a Python library for building OAuth and OpenID Connect servers. This cryptographic padding oracle vulnerability, affecting the JSON Web Encryption (JWE) RSA1_5 key management algorithm, could allow a remote attacker to decrypt sensitive information. The vulnerability arises because Authlib registers RSA1_5 without requiring explicit opt-in and bypasses constant-time Bleichenbacher mitigations in the underlying cryptography library.

CWE

CWE-325

Affected Products

Lightspeed CoreRed Hat Ansible Automation Platform 2Red Hat OpenShift AI (RHOAI)Red Hat Quay 3Red Hat Satellite 6

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com