Authlib Python Library Exposes High-Severity JWE RSA1_5 Padding Oracle Vulnerability (CVE-2026-28490)

A critical security flaw has been automatically flagged in the Authlib Python library, exposing systems to information disclosure via a cryptographic padding oracle attack. The vulnerability, tracked as CVE-2026-28490 and rated HIGH severity, stems from the library's handling of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib's default configuration registers this algorithm without requiring explicit opt-in, but its implementation actively dismantles the constant-time Bleichenbacher mitigation that is correctly provided by the underlying cryptography library. This creates a direct channel for attackers to potentially decrypt sensitive data.

The issue was identified in a CI/CD DevSecOps pipeline using the Trivy scanner, pinpointing an affected `requirements.txt` file. Authlib is a foundational library used for building OAuth 2.0 and OpenID Connect servers, making this vulnerability a significant risk for any application relying on it for authentication and authorization. The library's action of overriding secure, built-in mitigations represents a severe implementation failure that could compromise the confidentiality of encrypted JWEs.

The vulnerability has been addressed in Authlib version 1.6.9. All development and security teams using Authlib must immediately upgrade to this patched version to close the attack vector. The automated discovery of this issue in a live workflow underscores the persistent and hidden nature of supply chain risks, where a trusted security library can inadvertently introduce a critical weakness. This case highlights the necessity for continuous, automated dependency scanning as part of a robust DevSecOps practice.