CVE-2026-34531HIGH 8.2EPSS p24.0%

CVE-2026-34531CVE-2026-34531

Description

Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS0.32% probability of exploitation · percentile 24.0% · 2026-06-18T12:00:27Z
Published2026-04-01
Last modified2026-04-16

Underlying weaknesses· 1

CWE-287

References

  1. https://github.com/miguelgrinberg/Flask-HTTPAuth/releases/tag/v4.8.1
  2. https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg
  3. https://github.com/miguelgrinberg/flask-httpauth/commit/b15ffe9e50e110d7174ccd944f642079e1dcf9ee

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-43931
CVE
CVE-2026-35490
CVE
CVE-2025-68481
CVE
CVE-2026-2652
CVE
CVE-2026-4525
CVE
CVE-2026-44681
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.