Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/authlib@0.10

Type pypi

Namespace

Name authlib

Version 0.10

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.6.12

Latest_non_vulnerable_version 1.7.1

Affected_by_vulnerabilities

url VCID-hrf7-xz6n-efcg

vulnerability_id VCID-hrf7-xz6n-efcg

summary Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41425.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41425.json

reference_url

https://github.com/authlib/authlib

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/authlib/authlib

reference_url

https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-41425

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-41425

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2461690
reference_id	2461690
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2461690

fixed_packages

url pkg:pypi/authlib@1.6.11

purl pkg:pypi/authlib@1.6.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-sk4t-73s6-rqg9

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.11

aliases CVE-2026-41425, GHSA-jj8c-mmj3-mmgv, PYSEC-2026-25

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hrf7-xz6n-efcg

url VCID-sk4t-73s6-rqg9

vulnerability_id VCID-sk4t-73s6-rqg9

summary Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.

references

reference_url

https://github.com/authlib/authlib

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/authlib/authlib

reference_url

https://github.com/authlib/authlib/releases/tag/v1.6.12

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/authlib/authlib/releases/tag/v1.6.12

reference_url

https://github.com/authlib/authlib/releases/tag/v1.7.1

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/authlib/authlib/releases/tag/v1.7.1

reference_url

https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2

fixed_packages

url	pkg:pypi/authlib@1.6.12
purl	pkg:pypi/authlib@1.6.12
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.12

url	pkg:pypi/authlib@1.7.1
purl	pkg:pypi/authlib@1.7.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.7.1

aliases CVE-2026-44681, GHSA-r95x-qfjj-fjj2, PYSEC-2026-188

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sk4t-73s6-rqg9

url VCID-tk6q-528z-rye4

vulnerability_id VCID-tk6q-528z-rye4

summary lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

references

reference_url

https://github.com/lepture/authlib

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lepture/authlib

reference_url

https://github.com/lepture/authlib/issues/654

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lepture/authlib/issues/654

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2024-52.yaml

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2024-52.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU

reference_url

https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-lepture-authlib-cve-2024-37568

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-lepture-authlib-cve-2024-37568

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-37568

reference_id

CVE-2024-37568

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-37568

reference_url	https://github.com/advisories/GHSA-5357-c2jx-v7qh
reference_id	GHSA-5357-c2jx-v7qh
reference_type
scores
url	https://github.com/advisories/GHSA-5357-c2jx-v7qh

fixed_packages

url pkg:pypi/authlib@1.3.1

purl pkg:pypi/authlib@1.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hrf7-xz6n-efcg

vulnerability	VCID-sk4t-73s6-rqg9

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.3.1

aliases CVE-2024-37568, GHSA-5357-c2jx-v7qh, PYSEC-2024-52

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tk6q-528z-rye4

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@0.10

Package Instance