VYPR

PyPI package

authlib

pkg:pypi/authlib

Vulnerabilities (11)

  • CVE-2026-44681May 13, 2026
    affected >= 1.7.0, < 1.7.1fixed 1.7.1

    ### Summary An unauthenticated open redirect in Authlib's `OpenIDImplicitGrant` and `OpenIDHybridGrant` authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits t

  • CVE-2026-41425MedApr 24, 2026
    affected < 1.6.11fixed 1.6.11

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

  • CVE-2026-28498Mar 16, 2026
    affected < 1.6.9fixed 1.6.9

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification

  • CVE-2026-28490Mar 16, 2026
    affected < 1.6.9fixed 1.6.9

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algori

  • CVE-2026-27962Mar 16, 2026
    affected < 1.6.9fixed 1.6.9

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None

  • CVE-2026-28802Mar 6, 2026
    affected >= 1.6.5, < 1.6.7fixed 1.6.7

    Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to t

  • CVE-2025-68158Jan 8, 2026
    affected >= 1.0.0, < 1.6.6fixed 1.6.6

    Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an a

  • CVE-2025-62706Oct 22, 2025
    affected < 1.6.5fixed 1.6.5

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can s

  • CVE-2025-61920Oct 10, 2025
    affected < 1.6.5fixed 1.6.5

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds

  • CVE-2025-59420Sep 22, 2025
    affected < 1.6.4fixed 1.6.4

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed toke

  • CVE-2024-37568Jun 9, 2024
    affected < 1.3.1fixed 1.3.1

    lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)