HomeCVE Intelligence › CVE-2026-49852
CVSS 7.5 HIGH Vulnerability

CVE-2026-49852: joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of C…

Summary joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None. HMACAlgorithm.sign and HMACAlgorithm.verify in [src/joserfc/_rfc7518/jws_algs.…

7.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-49852
Vendorpip
Affected Productjoserfc
Vulnerability TypeVulnerability
CVSS Score7.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the

caller-supplied verification key is the empty string or None. HMACAlgorithm.sign and HMACAlgorithm.verify in [src/joserfc/_rfc7518/jws_algs.py:62-70](https://github.com/authlib/joserfc/blob/1ddca8f3c73ff47e3bc3ac06cb0c08a9535677ec/src/joserfc/_rfc7518/jws_algs.py#L62-L70) feed whatever OctKey.get_op_key(...) produced into hmac.new(...), and OctKey.import_key only emits a SecurityWarning when the raw key is shorter than 14 bytes without rejecting zero-length input. Any application whose JWT secret is sourced from an unset environment variable, an unset Redis / DB row, a key finder fallback that returns "", or a Hash.new("")-style default verifies attacker tokens forged with `HMAC(key=b""

🎯 Known Indicators of Compromise

{"type":"sha1","value":"1ddca8f3c73ff47e3bc3ac06cb0c08a9535677ec","confidence_score":0.9,"first_seen":"2026-07-02","source_count":1} {"type":"url","value":"https://github.com/authlib/joserfc/blob/1ddca8f3c73ff47e3bc3ac06cb0c08a9535677ec/src/joserfc/_rfc751","confidence_score":0.82,"first_seen":"2026-07-02","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-49852 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence