Platform
python
Component
flask-httpauth
Fixed in
4.8.2
4.8.1
CVE-2026-34531 describes an authentication bypass vulnerability in Flask-HTTPAuth versions up to 4.8.0. This flaw allows an attacker to potentially authenticate requests as any user with an empty string configured as their token. The vulnerability arises when the application’s token verification callback is invoked with an empty token, enabling unauthorized access. A fix is available in version 4.8.1.
An attacker can exploit this vulnerability by crafting requests to token-protected resources without providing a valid token or by providing an empty token. If the application’s database contains users with empty string tokens, the attacker can authenticate as any of those users. This could lead to unauthorized access to sensitive data, modification of application settings, or even complete control of the application, depending on the privileges associated with the authenticated user. The impact is particularly severe in applications where user tokens are used for authentication and authorization, as it effectively bypasses the intended security controls. This vulnerability highlights the importance of robust token validation and secure user credential management.
CVE-2026-34531 was publicly disclosed on 2026-03-31. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept exploits are currently available, but the vulnerability’s simplicity suggests that one could be developed relatively easily.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34531 is to upgrade Flask-HTTPAuth to version 4.8.1 or later. If upgrading is not immediately feasible, consider implementing a workaround by ensuring that the token verification callback function explicitly rejects empty tokens. This can be achieved by adding a check at the beginning of the callback to return False if the token is an empty string. Additionally, review your application's user database to identify and correct any users with empty string tokens. After upgrading, confirm the fix by attempting to authenticate with an empty token and verifying that authentication fails.
Update the Flask-HTTPAuth library to version 4.8.1 or higher. This fixes the vulnerability that allows incorrect authentication when an empty token is provided.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34531 is a vulnerability in Flask-HTTPAuth versions up to 4.8.0 that allows attackers to authenticate as users with empty tokens, potentially leading to unauthorized access.
You are affected if you are using Flask-HTTPAuth versions 4.8.0 or earlier and your application allows users to have empty string tokens.
Upgrade Flask-HTTPAuth to version 4.8.1 or later. As a temporary workaround, ensure your token verification callback rejects empty tokens.
There is currently no evidence of active exploitation, but the vulnerability's simplicity suggests it could be exploited.
Refer to the official Flask-HTTPAuth documentation and project repository for updates and advisories related to CVE-2026-34531.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.