Auth bypass in Authlib Joserfc

CVE-2026-49852

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Prior to 1.6.8, joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification…

Vulnerability class: Broken Authentication

Affected products

Weakness classification (CWE)

References