Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS impleme…

A JWK Header Injection vulnerability in Authlib's JWS implementation allows unauthenticated attackers to forge arbitrary JWT tokens that pass signature verification. The vulnerability occurs when key=None is passed to JWS deserialization functions, causing the library to extract and use cryptographic keys from the attacker-controlled JWT jwk header field. Attackers can sign tokens with their own private key, embed the matching public key in the header, and bypass authentication and authorization entirely. The issue affects versions prior to 1.6.9 and has been patched in version 1.6.9.