CVE-2026-48990: CWE-400: Uncontrolled Resource Consumption in authlib joserfc
The joserfc Python library, used for JSON Object Signing and Encryption (JOSE) standards, has a vulnerability in versions 1.3.4 through 1.6.5 where it does not enforce payload size limits on RFC7797 b64=false JWS payloads. This allows oversized payloads to be processed, potentially causing resource exhaustion. The issue has been fixed in version 1.6.7. The vulnerability has a medium severity with a CVSS score of 5.3 and does not impact confidentiality or integrity, only availability.
AI Analysis
Technical Summary
In joserfc versions 1.3.4 through 1.6.5, the library fails to apply the configured maximum payload length (JWSRegistry.max_payload_length) to RFC7797 unencoded (b64=false) JWS payloads. While normal JWS compact and flattened JSON payloads are rejected if they exceed the size limit, the unencoded payload paths allow deserialization of oversized payloads. This can lead to uncontrolled resource consumption and availability degradation in applications relying on joserfc to enforce payload size limits during token verification. The vulnerability is tracked as CVE-2026-48990 and is fixed in version 1.6.7.
Potential Impact
The vulnerability allows an attacker to submit oversized unencoded JWS payloads that bypass the payload size checks, leading to resource exhaustion in the affected application. This results in a denial of service condition affecting availability. There is no impact on confidentiality or integrity. The risk is moderate and primarily affects applications that accept lower-trust JWS tokens and depend on joserfc for payload size enforcement.
Mitigation Recommendations
Upgrade joserfc to version 1.6.7 or later, where this issue is fixed. Until the upgrade, applications should implement additional payload size validation for RFC7797 b64=false JWS payloads before processing. Patch status is not explicitly stated in the vendor advisory, but the fix is available in version 1.6.7.
CVE-2026-48990: CWE-400: Uncontrolled Resource Consumption in authlib joserfc
Description
The joserfc Python library, used for JSON Object Signing and Encryption (JOSE) standards, has a vulnerability in versions 1.3.4 through 1.6.5 where it does not enforce payload size limits on RFC7797 b64=false JWS payloads. This allows oversized payloads to be processed, potentially causing resource exhaustion. The issue has been fixed in version 1.6.7. The vulnerability has a medium severity with a CVSS score of 5.3 and does not impact confidentiality or integrity, only availability.
CVSS v3.1
Score 5.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In joserfc versions 1.3.4 through 1.6.5, the library fails to apply the configured maximum payload length (JWSRegistry.max_payload_length) to RFC7797 unencoded (b64=false) JWS payloads. While normal JWS compact and flattened JSON payloads are rejected if they exceed the size limit, the unencoded payload paths allow deserialization of oversized payloads. This can lead to uncontrolled resource consumption and availability degradation in applications relying on joserfc to enforce payload size limits during token verification. The vulnerability is tracked as CVE-2026-48990 and is fixed in version 1.6.7.
Potential Impact
The vulnerability allows an attacker to submit oversized unencoded JWS payloads that bypass the payload size checks, leading to resource exhaustion in the affected application. This results in a denial of service condition affecting availability. There is no impact on confidentiality or integrity. The risk is moderate and primarily affects applications that accept lower-trust JWS tokens and depend on joserfc for payload size enforcement.
Mitigation Recommendations
Upgrade joserfc to version 1.6.7 or later, where this issue is fixed. Until the upgrade, applications should implement additional payload size validation for RFC7797 b64=false JWS payloads before processing. Patch status is not explicitly stated in the vendor advisory, but the fix is available in version 1.6.7.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-26T23:26:07.975Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a33168ef198dc38c1148dbc
Added to database: 6/17/2026, 9:50:06 PM
Last enriched: 6/17/2026, 10:06:08 PM
Last updated: 6/18/2026, 12:24:16 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.