VYPR

Authlib

by Authlib

pypi: authlib

Source repositories

CVEs (13)

  • CVE-2026-44681MedMay 27, 2026
    risk 0.33cvss 6.1epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an…

  • CVE-2026-41425MedApr 24, 2026
    risk 0.28cvss 5.4epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

  • CVE-2026-48990Jun 17, 2026
    risk 0.00cvss epss 0.00

    joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead…

  • CVE-2026-41479Jun 8, 2026
    risk 0.00cvss epss 0.00

    ### Summary Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri. The vulnerable behavior happens before client lookup and before any…

  • CVE-2026-28498Mar 16, 2026
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash…

  • CVE-2026-28490Mar 16, 2026
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management…

  • CVE-2026-27962Mar 16, 2026
    risk 0.00cvss epss 0.01

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When…

  • CVE-2026-28802Mar 6, 2026
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to…

  • CVE-2025-68158Jan 8, 2026
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an…

  • CVE-2025-62706Oct 22, 2025
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who…

  • CVE-2025-61920Oct 10, 2025
    risk 0.00cvss epss 0.01

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans…

  • CVE-2025-59420Sep 22, 2025
    risk 0.00cvss epss 0.00

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a…

  • CVE-2024-37568Jun 9, 2024
    risk 0.00cvss epss 0.00

    lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)