Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-34531 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users.
NULL instead.To protect against this issue, developers should make sure that no user in the user database has their token set to an empty string. If there are such users, change the value of those tokens to NULL instead.
Alternatively, developers can upgrade their projects to Flask-HTTPAuth>=4.8.1, which fixes this issue.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.