rpm package
opensuse/python-Authlib&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-Authlib&distro=openSUSE%20Tumbleweed
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44681 | Med | 6.1 | < 1.7.2-1.1 | 1.7.2-1.1 | May 27, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an H | |
| CVE-2025-68158 | — | < 1.6.6-1.1 | 1.6.6-1.1 | Jan 8, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an a | ||
| CVE-2025-61920 | — | < 1.6.5-1.1 | 1.6.5-1.1 | Oct 10, 2025 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds | ||
| CVE-2024-37568 | — | < 1.3.1-1.1 | 1.3.1-1.1 | Jun 9, 2024 | lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.) |
- affected < 1.7.2-1.1fixed 1.7.2-1.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an H
- CVE-2025-68158Jan 8, 2026affected < 1.6.6-1.1fixed 1.6.6-1.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an a
- CVE-2025-61920Oct 10, 2025affected < 1.6.5-1.1fixed 1.6.5-1.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds
- CVE-2024-37568Jun 9, 2024affected < 1.3.1-1.1fixed 1.3.1-1.1
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)