rpm package
suse/python-Authlib&distro=SUSE Linux Enterprise Module for Python 3 15 SP7
pkg:rpm/suse/python-Authlib&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-28498 | — | < 1.3.1-150600.3.17.1 | 1.3.1-150600.3.17.1 | Mar 16, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification | ||
| CVE-2026-28490 | — | < 1.3.1-150600.3.17.1 | 1.3.1-150600.3.17.1 | Mar 16, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algori | ||
| CVE-2026-27962 | — | < 1.3.1-150600.3.17.1 | 1.3.1-150600.3.17.1 | Mar 16, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None | ||
| CVE-2025-68158 | — | < 1.3.1-150600.3.14.1 | 1.3.1-150600.3.14.1 | Jan 8, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an a | ||
| CVE-2025-62706 | — | < 1.3.1-150600.3.9.1 | 1.3.1-150600.3.9.1 | Oct 22, 2025 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can s | ||
| CVE-2025-61920 | — | < 1.3.1-150600.3.6.1 | 1.3.1-150600.3.6.1 | Oct 10, 2025 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds |
- CVE-2026-28498Mar 16, 2026affected < 1.3.1-150600.3.17.1fixed 1.3.1-150600.3.17.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification
- CVE-2026-28490Mar 16, 2026affected < 1.3.1-150600.3.17.1fixed 1.3.1-150600.3.17.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algori
- CVE-2026-27962Mar 16, 2026affected < 1.3.1-150600.3.17.1fixed 1.3.1-150600.3.17.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None
- CVE-2025-68158Jan 8, 2026affected < 1.3.1-150600.3.14.1fixed 1.3.1-150600.3.14.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an a
- CVE-2025-62706Oct 22, 2025affected < 1.3.1-150600.3.9.1fixed 1.3.1-150600.3.9.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can s
- CVE-2025-61920Oct 10, 2025affected < 1.3.1-150600.3.6.1fixed 1.3.1-150600.3.6.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds