Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/flask-httpauth@2.7.0
Typepypi
Namespace
Nameflask-httpauth
Version2.7.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.8.1
Latest_non_vulnerable_version4.8.1
Affected_by_vulnerabilities
0
url VCID-rxn6-7bu1-3fea
vulnerability_id VCID-rxn6-7bu1-3fea
summary 
Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client
## Summary

In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the `token` argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users.

## Notes

- This issue applies only to token authentication
- This issue applies only when the application verifies tokens by searching for them in a user database.
- This issue applies only if the application stores empty strings as user tokens when the user does not have an assigned token. It does not apply if the application sets those tokens to `NULL` instead.
- Tokens that are verified through cryptographic means (such as JWTs) are not affected by this issue.
- Basic and Digest authentication are not affected by this issue.

## Remediation

To protect against this issue, developers should make sure that no user in the user database has their `token` set to an empty string. If there are such users, change the value of those tokens to `NULL` instead.

Alternatively, developers can upgrade their projects to `Flask-HTTPAuth>=4.8.1`, which fixes this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34531
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.0534
published_at 2026-06-08T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.05384
published_at 2026-06-09T12:55:00Z
2
value 0.00024
scoring_system epss
scoring_elements 0.07269
published_at 2026-06-05T12:55:00Z
3
value 0.00024
scoring_system epss
scoring_elements 0.07261
published_at 2026-06-07T12:55:00Z
4
value 0.00024
scoring_system epss
scoring_elements 0.07275
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34531
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34531
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34531
2
reference_url https://github.com/miguelgrinberg/Flask-HTTPAuth
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/miguelgrinberg/Flask-HTTPAuth
3
reference_url https://github.com/miguelgrinberg/flask-httpauth/commit/b15ffe9e50e110d7174ccd944f642079e1dcf9ee
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/miguelgrinberg/flask-httpauth/commit/b15ffe9e50e110d7174ccd944f642079e1dcf9ee
4
reference_url https://github.com/miguelgrinberg/Flask-HTTPAuth/releases/tag/v4.8.1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/miguelgrinberg/Flask-HTTPAuth/releases/tag/v4.8.1
5
reference_url https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg
6
reference_url https://lists.debian.org/debian-lts-announce/2026/05/msg00049.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2026/05/msg00049.html
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34531
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34531
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132581
reference_id 1132581
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132581
9
reference_url https://github.com/advisories/GHSA-p44q-vqpr-4xmg
reference_id GHSA-p44q-vqpr-4xmg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p44q-vqpr-4xmg
fixed_packages
0
url pkg:pypi/flask-httpauth@4.8.1
purl pkg:pypi/flask-httpauth@4.8.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/flask-httpauth@4.8.1
aliases CVE-2026-34531, GHSA-p44q-vqpr-4xmg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rxn6-7bu1-3fea
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/flask-httpauth@2.7.0