Authlib is vulnerable to a critical authentication bypass that allows unauthenticated attackers to forge cryptographically valid tokens and gain unauthorized access to protected resources.

This is a JWK Header Injection vulnerability occurring when the library extracts cryptographic keys directly from attacker-controlled JWT headers. An unauthenticated attacker can sign a token with their own private key and embed the matching public key, tricking the server into validating the forged token.

A successful exploit results in a total bypass of the authentication and authorization framework. Attackers can impersonate any user, including administrators, leading to full data compromise and unauthorized system control. The CVSS score of 9.1 reflects the critical nature of this flaw, as it undermines the core security trust model of the OAuth and OpenID Connect implementation.

Immediate Action: Update the Authlib library to version 1.6.9 or later immediately to ensure the JWS deserialization functions no longer accept untrusted keys from headers.

Proactive Monitoring: Review application logs for unusual token signatures or unexpected administrative logins and monitor for any JWS deserialization calls where the key parameter is explicitly set to None.

Compensating Controls: Implement strict validation of the "iss" (issuer) and "aud" (audience) claims and restrict allowed signing algorithms at the application layer until the patch is applied.

Public Exploit Available: false

The severity of this vulnerability cannot be overstated, as it allows for the creation of "golden tokens" that bypass all security checks. IT teams must prioritize updating the Authlib Python package to version 1.6.9 immediately. Failure to remediate this flaw leaves the entire identity infrastructure exposed to trivial compromise.