Plateforme
python
Composant
flask-httpauth
Corrigé dans
4.8.2
4.8.1
CVE-2026-34531 describes an authentication bypass vulnerability in Flask-HTTPAuth versions up to 4.8.0. This flaw allows an attacker to potentially authenticate requests as any user with an empty string configured as their token. The vulnerability arises when the application’s token verification callback is invoked with an empty token, enabling unauthorized access. A fix is available in version 4.8.1.
An attacker can exploit this vulnerability by crafting requests to token-protected resources without providing a valid token or by providing an empty token. If the application’s database contains users with empty string tokens, the attacker can authenticate as any of those users. This could lead to unauthorized access to sensitive data, modification of application settings, or even complete control of the application, depending on the privileges associated with the authenticated user. The impact is particularly severe in applications where user tokens are used for authentication and authorization, as it effectively bypasses the intended security controls. This vulnerability highlights the importance of robust token validation and secure user credential management.
CVE-2026-34531 was publicly disclosed on 2026-03-31. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept exploits are currently available, but the vulnerability’s simplicity suggests that one could be developed relatively easily.
Applications built with Python and utilizing Flask-HTTPAuth for authentication are at risk. This includes web applications, APIs, and microservices that rely on Flask-HTTPAuth for token-based authentication. Specifically, applications with legacy user databases or those that allow users to set empty tokens are particularly vulnerable.
• python / server:
import os
import subprocess
def check_flask_httpauth_version():
try:
result = subprocess.check_output(['pip', 'show', 'Flask-HTTPAuth'], stderr=subprocess.STDOUT, text=True)
for line in result.splitlines():
if line.startswith('Version:'):
version = line.split(':')[1].strip()
if version <= '4.8.0':
print(f"Vulnerability detected: Flask-HTTPAuth version {version} is vulnerable.")
else:
print("Flask-HTTPAuth is up to date.")
return
except FileNotFoundError:
print("Flask-HTTPAuth is not installed.")
check_flask_httpauth_version()disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 14%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-34531 is to upgrade Flask-HTTPAuth to version 4.8.1 or later. If upgrading is not immediately feasible, consider implementing a workaround by ensuring that the token verification callback function explicitly rejects empty tokens. This can be achieved by adding a check at the beginning of the callback to return False if the token is an empty string. Additionally, review your application's user database to identify and correct any users with empty string tokens. After upgrading, confirm the fix by attempting to authenticate with an empty token and verifying that authentication fails.
Actualice la biblioteca Flask-HTTPAuth a la versión 4.8.1 o superior. Esto corrige la vulnerabilidad que permite la autenticación incorrecta cuando se proporciona un token vacío.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-34531 is a vulnerability in Flask-HTTPAuth versions up to 4.8.0 that allows attackers to authenticate as users with empty tokens, potentially leading to unauthorized access.
You are affected if you are using Flask-HTTPAuth versions 4.8.0 or earlier and your application allows users to have empty string tokens.
Upgrade Flask-HTTPAuth to version 4.8.1 or later. As a temporary workaround, ensure your token verification callback rejects empty tokens.
There is currently no evidence of active exploitation, but the vulnerability's simplicity suggests it could be exploited.
Refer to the official Flask-HTTPAuth documentation and project repository for updates and advisories related to CVE-2026-34531.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.