Authlib Python Library Exposes Critical JWT Authentication Bypass via JWK Header Injection (CVE-2026-27962)

A critical vulnerability in the widely-used Python authentication library Authlib allows attackers to forge valid JWT tokens and bypass authentication entirely. The flaw, tracked as CVE-2026-27962, resides in the library's JWS (JSON Web Signature) implementation. When a server uses `key=None` in JWS deserialization functions, the library automatically extracts and trusts the cryptographic key from the JWT's `jwk` header field—a field that is fully controlled by an attacker. This design flaw enables an unauthenticated party to sign a token with their own private key, embed the corresponding public key in the header, and have the server accept the forged token as cryptographically valid.

The vulnerability affects all versions of Authlib prior to 1.6.9. Authlib is a foundational library for building OAuth 2.0 and OpenID Connect servers in Python, making this a high-impact security issue for any application relying on it for user authentication and authorization. The flaw was identified through a DevSecOps CI workflow using the Trivy scanner, which flagged it in a project's `requirements.txt` file. The severity is classified as critical because it directly undermines the core security promise of JWT tokens.

The maintainers have released a patch in version 1.6.9. All projects using Authlib must immediately upgrade to this version to close the vulnerability. Failure to patch leaves applications exposed to complete authentication bypass, potentially granting unauthorized access to protected resources and administrative functions. This incident underscores the critical importance of automated dependency scanning in CI/CD pipelines to catch such severe vulnerabilities before they reach production.