2454129 – (CVE-2026-34531) CVE-2026-34531 flask-httpauth: token verification callback invoked when missing or empty token was given by client

Bug 2454129 (CVE-2026-34531) - CVE-2026-34531 flask-httpauth: token verification callback invoked when missing or empty token was given by client

Summary: CVE-2026-34531 flask-httpauth: token verification callback invoked when missi...

Keywords:
Status:	NEW
Alias:	CVE-2026-34531
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2454342
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-01 22:01 UTC by OSIDB Bzimport
Modified:	2026-04-02 13:45 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-01 22:01:56 UTC

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1.

Note You need to log in before you can comment on or make changes to this bug.