CVE-2026-34531

from flask import Flask from flask_httpauth import HTTPTokenAuth app = Flask(__name__) auth = HTTPTokenAuth(scheme='Bearer') # Simulated user database # Vulnerable condition: A user exists with an empty string as the token users = { "": {"id": 1, "role": "admin"}, "valid_token_123": {"id": 2, "role": "user"} } @auth.verify_token def verify_token(token): # The callback receives an empty string "" if no token is provided # in vulnerable versions. If "" is a valid key in users, # it authenticates the request. if token in users: return users[token] return None @app.route('/protected') @auth.login_required def protected_resource(): # If exploited without a token, this returns the admin user info return f"Logged in as User ID: {auth.current_user()['id']}" if __name__ == '__main__': # To test: Run the server and send a GET request to /protected # WITHOUT the Authorization header. The server will treat # the missing token as an empty string and authenticate as admin. app.run(debug=True)

{"cve": {"id": "CVE-2026-34531", "sourceIdentifier": "[email protected]", "published": "2026-04-01T21:17:01.147", "lastModified": "2026-04-16T16:21:05.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:miguelgrinberg:flask-httpauth:*:*:*:*:*:python:*:*", "versionEndExcluding": "4.8.1", "matchCriteriaId": "27C90FDD-EF05-4AF2-BDE6-4E47481562E2"}]}]}], "references": [{"url": "https://github.com/miguelgrinberg/Flask-HTTPAuth/releases/tag/v4.8.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/miguelgrinberg/flask-httpauth/commit/b15ffe9e50e110d7174ccd944f642079e1dcf9ee", "source": "[email protected]", "tags": ["Patch"]}]}}