Plataforma
python
Componente
flask-httpauth
Corregido en
4.8.2
4.8.1
CVE-2026-34531 describes an authentication bypass vulnerability in Flask-HTTPAuth versions up to 4.8.0. This flaw allows an attacker to potentially authenticate requests as any user with an empty string configured as their token. The vulnerability arises when the application’s token verification callback is invoked with an empty token, enabling unauthorized access. A fix is available in version 4.8.1.
An attacker can exploit this vulnerability by crafting requests to token-protected resources without providing a valid token or by providing an empty token. If the application’s database contains users with empty string tokens, the attacker can authenticate as any of those users. This could lead to unauthorized access to sensitive data, modification of application settings, or even complete control of the application, depending on the privileges associated with the authenticated user. The impact is particularly severe in applications where user tokens are used for authentication and authorization, as it effectively bypasses the intended security controls. This vulnerability highlights the importance of robust token validation and secure user credential management.
CVE-2026-34531 was publicly disclosed on 2026-03-31. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept exploits are currently available, but the vulnerability’s simplicity suggests that one could be developed relatively easily.
Applications built with Python and utilizing Flask-HTTPAuth for authentication are at risk. This includes web applications, APIs, and microservices that rely on Flask-HTTPAuth for token-based authentication. Specifically, applications with legacy user databases or those that allow users to set empty tokens are particularly vulnerable.
• python / server:
import os
import subprocess
def check_flask_httpauth_version():
try:
result = subprocess.check_output(['pip', 'show', 'Flask-HTTPAuth'], stderr=subprocess.STDOUT, text=True)
for line in result.splitlines():
if line.startswith('Version:'):
version = line.split(':')[1].strip()
if version <= '4.8.0':
print(f"Vulnerability detected: Flask-HTTPAuth version {version} is vulnerable.")
else:
print("Flask-HTTPAuth is up to date.")
return
except FileNotFoundError:
print("Flask-HTTPAuth is not installed.")
check_flask_httpauth_version()disclosure
Estado del Exploit
EPSS
0.04% (14% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-34531 is to upgrade Flask-HTTPAuth to version 4.8.1 or later. If upgrading is not immediately feasible, consider implementing a workaround by ensuring that the token verification callback function explicitly rejects empty tokens. This can be achieved by adding a check at the beginning of the callback to return False if the token is an empty string. Additionally, review your application's user database to identify and correct any users with empty string tokens. After upgrading, confirm the fix by attempting to authenticate with an empty token and verifying that authentication fails.
Actualice la biblioteca Flask-HTTPAuth a la versión 4.8.1 o superior. Esto corrige la vulnerabilidad que permite la autenticación incorrecta cuando se proporciona un token vacío.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-34531 is a vulnerability in Flask-HTTPAuth versions up to 4.8.0 that allows attackers to authenticate as users with empty tokens, potentially leading to unauthorized access.
You are affected if you are using Flask-HTTPAuth versions 4.8.0 or earlier and your application allows users to have empty string tokens.
Upgrade Flask-HTTPAuth to version 4.8.1 or later. As a temporary workaround, ensure your token verification callback rejects empty tokens.
There is currently no evidence of active exploitation, but the vulnerability's simplicity suggests it could be exploited.
Refer to the official Flask-HTTPAuth documentation and project repository for updates and advisories related to CVE-2026-34531.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo requirements.txt y te decimos al instante si estás afectado.