GHSA-gg9x-qcx2-xmrh: joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
The joserfc library versions up to 1.6.7 accept attacker-forged HMAC-signed JWT tokens when the verification key is empty or None. This occurs because the library does not reject zero-length HMAC keys, allowing attackers to forge tokens without knowledge of a secret key. The vulnerability affects the HMACAlgorithm.sign and verify methods, which use the raw key directly without enforcing a minimum key length or rejecting empty keys. No patched release is currently available.
AI Analysis
Technical Summary
joserfc versions <= 1.6.7 contain a vulnerability where the HMAC-based JWT verification accepts empty or nil keys, enabling attackers to forge tokens. The root cause is that OctKey.import_key only warns when keys are shorter than 14 bytes but does not reject empty keys. Consequently, HMACAlgorithm.verify uses hmac.new with an empty key, which Python's hmac module accepts, allowing signature verification without a secret. This is a cross-language sibling of CVE-2026-45363 affecting ruby-jwt. The vulnerability is exploitable when the configured JWT secret is empty or None due to unset environment variables, missing database entries, or fallback defaults. No official fix or patch release exists yet.
Potential Impact
An attacker can forge valid JWT tokens without knowledge of the secret key if the verification key is empty or None. This compromises authentication and authorization mechanisms relying on joserfc for JWT verification, potentially allowing unauthorized access to protected resources. The vulnerability requires no privileges and can be exploited remotely if the application uses joserfc with an empty or unset secret key.
Mitigation Recommendations
No official patch or fixed release is currently available for joserfc. Operators must ensure that the JWT secret key is never empty or None in configuration or runtime environment. Applications should implement validation to reject empty or nil keys before calling joserfc.jwt.decode. Monitoring and auditing configuration sources for missing or empty secrets is recommended until an official fix is released.
GHSA-gg9x-qcx2-xmrh: joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
Description
The joserfc library versions up to 1.6.7 accept attacker-forged HMAC-signed JWT tokens when the verification key is empty or None. This occurs because the library does not reject zero-length HMAC keys, allowing attackers to forge tokens without knowledge of a secret key. The vulnerability affects the HMACAlgorithm.sign and verify methods, which use the raw key directly without enforcing a minimum key length or rejecting empty keys. No patched release is currently available.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
joserfc versions <= 1.6.7 contain a vulnerability where the HMAC-based JWT verification accepts empty or nil keys, enabling attackers to forge tokens. The root cause is that OctKey.import_key only warns when keys are shorter than 14 bytes but does not reject empty keys. Consequently, HMACAlgorithm.verify uses hmac.new with an empty key, which Python's hmac module accepts, allowing signature verification without a secret. This is a cross-language sibling of CVE-2026-45363 affecting ruby-jwt. The vulnerability is exploitable when the configured JWT secret is empty or None due to unset environment variables, missing database entries, or fallback defaults. No official fix or patch release exists yet.
Potential Impact
An attacker can forge valid JWT tokens without knowledge of the secret key if the verification key is empty or None. This compromises authentication and authorization mechanisms relying on joserfc for JWT verification, potentially allowing unauthorized access to protected resources. The vulnerability requires no privileges and can be exploited remotely if the application uses joserfc with an empty or unset secret key.
Mitigation Recommendations
No official patch or fixed release is currently available for joserfc. Operators must ensure that the JWT secret key is never empty or None in configuration or runtime environment. Applications should implement validation to reject empty or nil keys before calling joserfc.jwt.decode. Monitoring and auditing configuration sources for missing or empty secrets is recommended until an official fix is released.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-gg9x-qcx2-xmrh
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-49852"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a46ecbb27e9c7971943cddf
Added to database: 07/02/2026, 22:56:59 UTC
Last enriched: 07/02/2026, 23:14:05 UTC
Last updated: 07/02/2026, 23:14:05 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.