SCA: security update for authlib (GHSA-m344-f55w-2m6j)

high Tenable Self-Hosted Container Security Plugin ID 438849

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a
library-level vulnerability was identified in the Authlib Python library concerning the validation of
OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash)
responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims
exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This
flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a
deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently
returns True (validation passed), inherently violating fundamental cryptographic design principles and
direct OIDC specifications. This issue has been patched in version 1.6.9. (CVE-2026-28498)

Solution

Update the authlib library and its related packages to version 1.6.9 or later.

See Also

https://github.com/advisories/GHSA-m344-f55w-2m6j

Plugin Details

Severity: High

ID: 438849

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 3/16/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-28498

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 6.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/16/2026

Vulnerability Publication Date: 3/16/2026

Reference Information

CVE: CVE-2026-28498