CVE-2026-28498

high Red Hat
CVSS v3 Base Score
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
High
Availability
None
Published: March 16, 2026 (59 days ago)
Last Modified: March 16, 2026
Vendor: Red Hat
Source: REDHAT

Description

A flaw was found in Authlib, a Python library used for building OAuth and OpenID Connect (OIDC) servers. This vulnerability allows a remote attacker to bypass critical integrity checks in OIDC ID Tokens. Specifically, the library's internal hash verification logic fails open when encountering an unsupported cryptographic algorithm, accepting a forged ID Token as valid. This can lead to an authentication bypass, granting unauthorized access to systems relying on Authlib for OIDC authentication.

Affected Products

Lightspeed CoreRed Hat Ansible Automation Platform 2Red Hat OpenShift AI (RHOAI)Red Hat Quay 3Red Hat Satellite 6

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com