Inadequate Encryption Strength Affecting joserfc package, versions [,1.6.8)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Inadequate Encryption Strength vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-JOSERFC-17810170
  • published3 Jul 2026
  • disclosed2 Jul 2026
  • credittonghuaroot

Introduced: 2 Jul 2026

NewCVE-2026-49852  (opens in a new tab)
CWE-326  (opens in a new tab)

How to fix?

Upgrade joserfc to version 1.6.8 or higher.

Overview

Affected versions of this package are vulnerable to Inadequate Encryption Strength in the verify process. An attacker can gain unauthorized access and forge arbitrary claims by submitting tokens signed with an empty or null key, which are incorrectly accepted as valid signatures. This is only exploitable if the verification key is set to an empty string or None, such as when a secret is missing from configuration or environment variables.

CVSS Base Scores

version 4.0
version 3.1