Flask-HTTPAuth is a popular Python extension providing Basic, Digest, and Token HTTP authentication for Flask web applications. Prior to version 4.8.1, a vulnerability (CVE-2026-34531) existed due to improper handling of empty or missing tokens in token-based authentication. When a client request to a token-protected endpoint omits the token or sends an empty token, Flask-HTTPAuth invokes the application's token verification callback with an empty string as the token parameter. If the application's user database contains any users with an empty string as their token, the verification callback may incorrectly authenticate the client as one of those users. This results in improper authentication (CWE-287), allowing unauthorized access to protected resources. The vulnerability affects all Flask applications using Flask-HTTPAuth versions earlier than 4.8.1 that rely on token authentication and have users with empty string tokens. Exploitation does not require prior authentication or user interaction but depends on the application’s token management practices. The flaw impacts confidentiality by potentially exposing user data and integrity by allowing unauthorized actions under another user's identity. The vulnerability was addressed in Flask-HTTPAuth 4.8.1 by correcting the handling of empty tokens to prevent invocation of the verification callback with empty strings.

The vulnerability can lead to unauthorized access to protected resources if the application has users with empty string tokens, compromising confidentiality and integrity. Attackers could impersonate legitimate users without valid credentials, potentially accessing sensitive data or performing unauthorized operations. Although the attack complexity is high because it requires the presence of empty string tokens in the user database—a poor security practice—the impact on affected organizations can be significant, especially for applications handling sensitive or critical data. Since Flask-HTTPAuth is widely used in Python web applications globally, organizations relying on vulnerable versions may face risks of data breaches or unauthorized modifications. There is no impact on availability. No known exploits are reported in the wild yet, but the vulnerability is publicly disclosed, increasing the risk of exploitation attempts.

The primary mitigation is to upgrade Flask-HTTPAuth to version 4.8.1 or later, where the vulnerability is patched. Additionally, organizations should audit their user token databases to ensure no users have empty string tokens, as this is a poor security practice that facilitates exploitation. Implement strict token generation and validation policies to prevent empty or null tokens. Review and harden the token verification callback logic to reject empty or missing tokens explicitly. Employ comprehensive logging and monitoring of authentication attempts to detect anomalous access patterns. Conduct security testing on authentication flows to verify no improper authentication paths exist. Finally, educate developers on secure token management and the risks of improper authentication handling.