Authlib
Products
2Recent CVEs
20| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-33079 | Hig | 0.50 | — | 0.00 | May 6, 2026 | In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles… | ||
| CVE-2026-44681 | Med | 0.33 | 6.1 | 0.00 | May 27, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an… | ||
| CVE-2026-44898 | Med | 0.33 | 6.1 | 0.00 | May 26, 2026 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#") and the text value (used as the visible link label) are inserted… | ||
| CVE-2026-44897 | Med | 0.33 | 6.1 | 0.00 | May 26, 2026 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape(), safe_entity(), or any other sanitisation… | ||
| CVE-2026-44896 | Med | 0.33 | 6.1 | 0.00 | May 26, 2026 | Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and… | ||
| CVE-2026-44708 | Med | 0.33 | 6.1 | 0.00 | May 26, 2026 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even… | ||
| CVE-2026-41425 | Med | 0.28 | 5.4 | 0.00 | Apr 24, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11. | ||
| CVE-2026-44899 | Med | 0.24 | 4.7 | 0.00 | May 26, 2026 | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r"^\d+(?:\.\d*)?"). When the validated value is not a plain integer,… | ||
| CVE-2026-48990 | 0.00 | — | 0.00 | Jun 17, 2026 | joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead… | |||
| CVE-2026-41479 | 0.00 | — | 0.00 | Jun 8, 2026 | ### Summary Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri. The vulnerable behavior happens before client lookup and before any… | |||
| CVE-2026-33441 | 0.00 | — | — | May 6, 2026 | Rejected reason: This CVE is a duplicate of another CVE: CVE-2026-33079. | |||
| CVE-2026-28498 | 0.00 | — | 0.00 | Mar 16, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash… | |||
| CVE-2026-28490 | 0.00 | — | 0.00 | Mar 16, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management… | |||
| CVE-2026-27962 | 0.00 | — | 0.01 | Mar 16, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When… | |||
| CVE-2026-28802 | 0.00 | — | 0.00 | Mar 6, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to… | |||
| CVE-2025-68158 | 0.00 | — | 0.00 | Jan 8, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an… | |||
| CVE-2025-62706 | 0.00 | — | 0.00 | Oct 22, 2025 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who… | |||
| CVE-2025-61920 | 0.00 | — | 0.01 | Oct 10, 2025 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans… | |||
| CVE-2025-59420 | 0.00 | — | 0.00 | Sep 22, 2025 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a… | |||
| CVE-2024-37568 | 0.00 | — | 0.00 | Jun 9, 2024 | lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.) |
- risk 0.50cvss —epss 0.00
In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles…
- risk 0.33cvss 6.1epss 0.00
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an…
- risk 0.33cvss 6.1epss 0.00
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#") and the text value (used as the visible link label) are inserted…
- risk 0.33cvss 6.1epss 0.00
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape(), safe_entity(), or any other sanitisation…
- risk 0.33cvss 6.1epss 0.00
Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and…
- risk 0.33cvss 6.1epss 0.00
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even…
- risk 0.28cvss 5.4epss 0.00
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.
- risk 0.24cvss 4.7epss 0.00
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r"^\d+(?:\.\d*)?"). When the validated value is not a plain integer,…
- CVE-2026-48990Jun 17, 2026risk 0.00cvss —epss 0.00
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead…
- CVE-2026-41479Jun 8, 2026risk 0.00cvss —epss 0.00
### Summary Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri. The vulnerable behavior happens before client lookup and before any…
- CVE-2026-33441May 6, 2026risk 0.00cvss —epss —
Rejected reason: This CVE is a duplicate of another CVE: CVE-2026-33079.
- CVE-2026-28498Mar 16, 2026risk 0.00cvss —epss 0.00
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash…
- CVE-2026-28490Mar 16, 2026risk 0.00cvss —epss 0.00
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management…
- CVE-2026-27962Mar 16, 2026risk 0.00cvss —epss 0.01
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When…
- CVE-2026-28802Mar 6, 2026risk 0.00cvss —epss 0.00
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to…
- CVE-2025-68158Jan 8, 2026risk 0.00cvss —epss 0.00
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an…
- CVE-2025-62706Oct 22, 2025risk 0.00cvss —epss 0.00
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who…
- CVE-2025-61920Oct 10, 2025risk 0.00cvss —epss 0.01
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans…
- CVE-2025-59420Sep 22, 2025risk 0.00cvss —epss 0.00
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a…
- CVE-2024-37568Jun 9, 2024risk 0.00cvss —epss 0.00
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)