File CVE-2026-27962.patch of Package python-Authlib.43208

From a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681 Mon Sep 17 00:00:00 2001
From: Hsiaoming Yang <me@lepture.com>
Date: Wed, 25 Feb 2026 23:48:19 +0800
Subject: [PATCH] fix(jose): do not use header's jwk automatically

---
 authlib/jose/rfc7515/jws.py | 2 --
 authlib/jose/rfc7516/jwe.py | 2 --
 2 files changed, 4 deletions(-)

Index: authlib-1.3.1/authlib/jose/rfc7515/jws.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/rfc7515/jws.py
+++ authlib-1.3.1/authlib/jose/rfc7515/jws.py
@@ -257,8 +257,6 @@ class JsonWebSignature:
         algorithm = self.ALGORITHMS_REGISTRY[alg]
         if callable(key):
             key = key(header, payload)
-        elif key is None and 'jwk' in header:
-            key = header['jwk']
         key = algorithm.prepare_key(key)
         return algorithm, key
 
Index: authlib-1.3.1/authlib/jose/rfc7516/jwe.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/rfc7516/jwe.py
+++ authlib-1.3.1/authlib/jose/rfc7516/jwe.py
@@ -717,6 +717,4 @@ class JsonWebEncryption:
 def prepare_key(alg, header, key):
     if callable(key):
         key = key(header, None)
-    elif key is None and 'jwk' in header:
-        key = header['jwk']
     return alg.prepare_key(key)