CVE-2026-34531
Last modified
CVE-2026-34531 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. EPSS estimates a 0.32% chance of exploitation in the next 30 days.
Description
Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Miguelgrinberg | Flask-Httpauth | < 4.8.1 |
References
- https://github.com/miguelgrinberg/Flask-HTTPAuth/releases/tag/v4.8.1Product, Release Notes
- https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmgMitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2026-34531?
How severe is CVE-2026-34531?
How do I fix CVE-2026-34531?
Are you affected by CVE-2026-34531?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST