SUSE-SU-2026:0975-1

Details

This update for python-Authlib fixes the following issues:

CVE-2026-27962: JWS deserialize_compact() allows for signature bypass by accepting user-controlled embedded JWK as verification key (bsc#1259738).
CVE-2026-28490: cryptographic padding oracle in JWE RSA1_5 key management algorithm (bsc#1259736).
CVE-2026-28498: fail-open in behavior OIDC hash validation allows for bypass mandatory integrity protections (bsc#1259737).

Affected Packages

python-Authlib

SUSE Linux Enterprise Module for Python 3 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6openSUSE Leap 15.6

Fixed in:

1.3.1-150600.3.17.1

python311-Authlib

SUSE Linux Enterprise Module for Python 3 15 SP7SUSE Linux Enterprise Server 15 SP6-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP6openSUSE Leap 15.6

Fixed in:

1.3.1-150600.3.17.1

References

REPORT

https://bugzilla.suse.com/1259736

REPORT

https://bugzilla.suse.com/1259737

REPORT

https://bugzilla.suse.com/1259738

WEB

https://www.suse.com/security/cve/CVE-2026-27962

WEB

https://www.suse.com/security/cve/CVE-2026-28490

WEB

https://www.suse.com/security/cve/CVE-2026-28498

ADVISORY

https://www.suse.com/support/update/announcement/2026/suse-su-20260975-1/