Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/41561?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/41561?format=api", "purl": "pkg:pypi/authlib@1.2.1", "type": "pypi", "namespace": "", "name": "authlib", "version": "1.2.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.6.12", "latest_non_vulnerable_version": "1.7.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64888?format=api", "vulnerability_id": "VCID-4wgd-2mpe-tyh3", "summary": "authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28498.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28498.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08867", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28498" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28498", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28498" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/authlib/authlib", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib" }, { "reference_url": "https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:14:21Z/" } ], "url": "https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b" }, { "reference_url": "https://github.com/authlib/authlib/releases/tag/v1.6.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:14:21Z/" } ], "url": "https://github.com/authlib/authlib/releases/tag/v1.6.9" }, { "reference_url": "https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:14:21Z/" } ], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28498", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28498" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448182", "reference_id": "2448182", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448182" }, { "reference_url": "https://github.com/advisories/GHSA-m344-f55w-2m6j", "reference_id": "GHSA-m344-f55w-2m6j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m344-f55w-2m6j" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6309", "reference_id": "RHSA-2026:6309", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6309" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6404", "reference_id": "RHSA-2026:6404", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6404" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6497", "reference_id": "RHSA-2026:6497", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6497" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6567", "reference_id": "RHSA-2026:6567", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6567" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6568", "reference_id": "RHSA-2026:6568", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6568" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6720", "reference_id": "RHSA-2026:6720", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6720" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6912", "reference_id": "RHSA-2026:6912", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6912" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49678?format=api", "purl": "pkg:pypi/authlib@1.6.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hrf7-xz6n-efcg" }, { "vulnerability": "VCID-sk4t-73s6-rqg9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.9" } ], "aliases": [ "CVE-2026-28498", "GHSA-m344-f55w-2m6j" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4wgd-2mpe-tyh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47822?format=api", "vulnerability_id": "VCID-f8jg-a3bd-x7ax", "summary": "Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)\nAuthlib’s JWS verification accepts tokens that declare unknown critical header parameters (`crit`), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, `bork` or `cnf`) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59420.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59420.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59420", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01363", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59420" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59420", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59420" }, { "reference_url": "https://github.com/authlib/authlib", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib" }, { "reference_url": "https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-22T18:04:06Z/" } ], "url": "https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2397460", "reference_id": "2397460", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2397460" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59420", "reference_id": "CVE-2025-59420", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59420" }, { "reference_url": "https://github.com/advisories/GHSA-9ggr-2464-2j32", "reference_id": "GHSA-9ggr-2464-2j32", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9ggr-2464-2j32" }, { "reference_url": "https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32", "reference_id": "GHSA-9ggr-2464-2j32", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-22T18:04:06Z/" } ], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:22182", "reference_id": "RHSA-2025:22182", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:22182" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:22287", "reference_id": "RHSA-2025:22287", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:22287" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23028", "reference_id": "RHSA-2025:23028", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23028" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23059", "reference_id": "RHSA-2025:23059", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23059" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23060", "reference_id": "RHSA-2025:23060", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23060" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23061", "reference_id": "RHSA-2025:23061", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23061" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23064", "reference_id": "RHSA-2025:23064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23176", "reference_id": "RHSA-2025:23176", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23176" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1942", "reference_id": "RHSA-2026:1942", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1942" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4215", "reference_id": "RHSA-2026:4215", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4215" }, { "reference_url": "https://usn.ubuntu.com/8065-1/", "reference_id": "USN-8065-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8065-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49673?format=api", "purl": "pkg:pypi/authlib@1.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wgd-2mpe-tyh3" }, { "vulnerability": "VCID-hrf7-xz6n-efcg" }, { "vulnerability": "VCID-pguz-hqre-77ac" }, { "vulnerability": "VCID-pt7d-e6h5-kbd2" }, { "vulnerability": "VCID-sk4t-73s6-rqg9" }, { "vulnerability": "VCID-sp9r-m79r-ryd5" }, { "vulnerability": "VCID-vjhy-tvsd-gbfm" }, { "vulnerability": "VCID-zafh-nuvx-6fch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.4" } ], "aliases": [ "CVE-2025-59420", "GHSA-9ggr-2464-2j32" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f8jg-a3bd-x7ax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37302?format=api", "vulnerability_id": "VCID-hrf7-xz6n-efcg", "summary": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41425.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41425.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41425", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.0663", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41425" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/authlib/authlib", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib" }, { "reference_url": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T13:09:15Z/" } ], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2026-25.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2026-25.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41425", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41425" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461690", "reference_id": "2461690", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461690" }, { "reference_url": "https://github.com/advisories/GHSA-jj8c-mmj3-mmgv", "reference_id": "GHSA-jj8c-mmj3-mmgv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jj8c-mmj3-mmgv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49680?format=api", "purl": "pkg:pypi/authlib@1.6.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-sk4t-73s6-rqg9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.11" } ], "aliases": [ "CVE-2026-41425", "GHSA-jj8c-mmj3-mmgv", "PYSEC-2026-25" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hrf7-xz6n-efcg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49616?format=api", "vulnerability_id": "VCID-pguz-hqre-77ac", "summary": "Authlib has 1-click Account Takeover vulnerability\nCache-backed state/request-token storage is not tied to the initiating user session, making CSRF possible for any attacker that possesses a valid state value (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, `FrameworkIntegration.set_state_data` writes the entire state blob under `_state_{app}_{state}`, and `get_state_data` disregards the caller's session entirely. [1][2]\n\n```py\ndef _get_cache_data(self, key):\nvalue = self.cache.get(key)\nif not value:\nreturn None\ntry:\nreturn json.loads(value)\nexcept (TypeError, ValueError):\nreturn None\n[snip]\ndef get_state_data(self, session, state):\nkey = f\"_state_{self.name}_{state}\"\nif self.cache:\nvalue = self._get_cache_data(key)\nelse:\nvalue = session.get(key)\nif value:\nreturn value.get(\"data\")\nreturn None\n```\n\n*authlib/integrations/base_client/framework_integration.py:12-41*\n\nRetrieval in `authorize_access_token` therefore succeeds for whichever browser presents that opaque value, and the token exchange proceeds with the attacker's authorization code. [3]\n\n```py\ndef authorize_access_token(self, **kwargs):\n\"\"\"Fetch access token in one step.\n\n:return: A token dict.\n\"\"\"\nparams = request.args.to_dict(flat=True)\nstate = params.get(\"oauth_token\")\nif not state:\nraise OAuthError(description='Missing \"oauth_token\" parameter')\n\ndata = self.framework.get_state_data(session, state)\nif not data:\nraise OAuthError(description='Missing \"request_token\" in temporary data')\n\nparams[\"request_token\"] = data[\"request_token\"]\nparams.update(kwargs)\nself.framework.clear_state_data(session, state)\ntoken = self.fetch_access_token(**params)\nself.token = token\nreturn token\n```\n\n*authlib/integrations/flask_client/apps.py:57-76*\n\nThis opens up an avenue for Login CSRF in applications that use cache-backed storage. Depending on the dependent application's implementation (e.g., whether it links accounts in the event of a login CSRF), this could lead to account takeover.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68158.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68158.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68158", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07916", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68158" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68158", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68158" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/authlib/authlib", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib" }, { "reference_url": "https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T18:19:47Z/" } ], "url": "https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489" }, { "reference_url": "https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T18:19:47Z/" } ], "url": "https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428102", "reference_id": "2428102", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428102" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68158", "reference_id": "CVE-2025-68158", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68158" }, { "reference_url": "https://github.com/advisories/GHSA-fg6f-75jq-6523", "reference_id": "GHSA-fg6f-75jq-6523", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fg6f-75jq-6523" }, { "reference_url": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523", "reference_id": "GHSA-fg6f-75jq-6523", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T18:19:47Z/" } ], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6497", "reference_id": "RHSA-2026:6497", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6497" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6567", "reference_id": "RHSA-2026:6567", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6567" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6568", "reference_id": "RHSA-2026:6568", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6568" }, { "reference_url": "https://usn.ubuntu.com/8065-1/", "reference_id": "USN-8065-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8065-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49675?format=api", "purl": "pkg:pypi/authlib@1.6.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wgd-2mpe-tyh3" }, { "vulnerability": "VCID-hrf7-xz6n-efcg" }, { "vulnerability": "VCID-pt7d-e6h5-kbd2" }, { "vulnerability": "VCID-sk4t-73s6-rqg9" }, { "vulnerability": "VCID-z4uj-gecb-1ucd" }, { "vulnerability": "VCID-zafh-nuvx-6fch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.6" } ], "aliases": [ "CVE-2025-68158", "GHSA-fg6f-75jq-6523" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pguz-hqre-77ac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64890?format=api", "vulnerability_id": "VCID-pt7d-e6h5-kbd2", "summary": "authlib: Authlib: Information disclosure due to cryptographic padding oracle in JWE RSA1_5", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28490.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28490.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28490", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03807", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28490" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28490", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28490" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/authlib/authlib", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib" }, { "reference_url": "https://github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:17:04Z/" } ], "url": "https://github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22" }, { "reference_url": "https://github.com/authlib/authlib/releases/tag/v1.6.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:17:04Z/" } ], "url": "https://github.com/authlib/authlib/releases/tag/v1.6.9" }, { "reference_url": "https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:17:04Z/" } ], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28490", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28490" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448162", "reference_id": "2448162", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448162" }, { "reference_url": "https://github.com/advisories/GHSA-7432-952r-cw78", "reference_id": "GHSA-7432-952r-cw78", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7432-952r-cw78" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49678?format=api", "purl": "pkg:pypi/authlib@1.6.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hrf7-xz6n-efcg" }, { "vulnerability": "VCID-sk4t-73s6-rqg9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.9" } ], "aliases": [ "CVE-2026-28490", "GHSA-7432-952r-cw78" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pt7d-e6h5-kbd2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51284?format=api", "vulnerability_id": "VCID-sk4t-73s6-rqg9", "summary": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44681", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12365", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44681" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44681", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44681" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/authlib/authlib", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib" }, { "reference_url": "https://github.com/authlib/authlib/releases/tag/v1.6.12", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib/releases/tag/v1.6.12" }, { "reference_url": "https://github.com/authlib/authlib/releases/tag/v1.7.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib/releases/tag/v1.7.1" }, { "reference_url": "https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T16:56:23Z/" } ], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75185?format=api", "purl": "pkg:pypi/authlib@1.6.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/119960?format=api", "purl": "pkg:pypi/authlib@1.7.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.7.1" } ], "aliases": [ "CVE-2026-44681", "GHSA-r95x-qfjj-fjj2", "PYSEC-2026-188" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sk4t-73s6-rqg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47990?format=api", "vulnerability_id": "VCID-sp9r-m79r-ryd5", "summary": "Authlib : JWE zip=DEF decompression bomb enables DoS\n_Authlib’s JWE `zip=DEF` path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service._", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62706.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62706.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62706", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00137", "scoring_system": "epss", "scoring_elements": "0.33374", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62706" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62706", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62706" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/authlib/authlib", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib" }, { "reference_url": "https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405946", "reference_id": "2405946", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405946" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62706", "reference_id": "CVE-2025-62706", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62706" }, { "reference_url": "https://github.com/advisories/GHSA-g7f3-828f-7h7m", "reference_id": "GHSA-g7f3-828f-7h7m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g7f3-828f-7h7m" }, { "reference_url": "https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m", "reference_id": "GHSA-g7f3-828f-7h7m", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:0629", "reference_id": "RHSA-2026:0629", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:0629" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:1596", "reference_id": "RHSA-2026:1596", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:1596" }, { "reference_url": "https://usn.ubuntu.com/8065-1/", "reference_id": "USN-8065-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8065-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49674?format=api", "purl": "pkg:pypi/authlib@1.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wgd-2mpe-tyh3" }, { "vulnerability": "VCID-hrf7-xz6n-efcg" }, { "vulnerability": "VCID-pguz-hqre-77ac" }, { "vulnerability": "VCID-pt7d-e6h5-kbd2" }, { "vulnerability": "VCID-sk4t-73s6-rqg9" }, { "vulnerability": "VCID-z4uj-gecb-1ucd" }, { "vulnerability": "VCID-zafh-nuvx-6fch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.5" } ], "aliases": [ "CVE-2025-62706", "GHSA-g7f3-828f-7h7m" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sp9r-m79r-ryd5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36812?format=api", "vulnerability_id": "VCID-tk6q-528z-rye4", "summary": "lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37568", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.3464", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37568" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37568", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37568" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/lepture/authlib", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lepture/authlib" }, { "reference_url": "https://github.com/lepture/authlib/issues/654", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-15T15:15:48Z/" } ], "url": "https://github.com/lepture/authlib/issues/654" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2024-52.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2024-52.yaml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU" }, { "reference_url": "https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-lepture-authlib-cve-2024-37568", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-15T15:15:48Z/" } ], "url": "https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-lepture-authlib-cve-2024-37568" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37568", "reference_id": "CVE-2024-37568", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37568" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5/", "reference_id": "FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-15T15:15:48Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5/" }, { "reference_url": "https://github.com/advisories/GHSA-5357-c2jx-v7qh", "reference_id": "GHSA-5357-c2jx-v7qh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5357-c2jx-v7qh" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU/", "reference_id": "IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-15T15:15:48Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU/" }, { "reference_url": "https://usn.ubuntu.com/8065-1/", "reference_id": "USN-8065-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8065-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41563?format=api", "purl": "pkg:pypi/authlib@1.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wgd-2mpe-tyh3" }, { "vulnerability": "VCID-f8jg-a3bd-x7ax" }, { "vulnerability": "VCID-hrf7-xz6n-efcg" }, { "vulnerability": "VCID-pguz-hqre-77ac" }, { "vulnerability": "VCID-pt7d-e6h5-kbd2" }, { "vulnerability": "VCID-sk4t-73s6-rqg9" }, { "vulnerability": "VCID-sp9r-m79r-ryd5" }, { "vulnerability": "VCID-vjhy-tvsd-gbfm" }, { "vulnerability": "VCID-zafh-nuvx-6fch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.3.1" } ], "aliases": [ "CVE-2024-37568", "GHSA-5357-c2jx-v7qh", "PYSEC-2024-52" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tk6q-528z-rye4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47991?format=api", "vulnerability_id": "VCID-vjhy-tvsd-gbfm", "summary": "Authlib is vulnerable to Denial of Service via Oversized JOSE Segments\n**Summary**\nAuthlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service.\n\n**Impact**\n\n- Attack vector: unauthenticated network attacker submits a malicious JWS/JWT.\n\n- Effect: base64 decode + JSON/crypto processing of huge buffers pegs CPU and allocates large amounts of RAM; a single request can exhaust service capacity.\n\n- Observed behaviour: on a test host, the legacy code verified a 500 MB header, consuming ~4 GB RSS and ~9 s CPU before failing.\n\n- Severity: High. CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5).\n\nAffected Versions\nAuthlib ≤ 1.6.3 (and earlier) when verifying JWS/JWT tokens. Later snapshots with 256 KB header/signature limits are not affected.\n\n**Proof of concept**", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61920.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61920.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61920", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00424", "scoring_system": "epss", "scoring_elements": "0.62565", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61920" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61920", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61920" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/authlib/authlib", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib" }, { "reference_url": "https://github.com/authlib/authlib/commit/867e3f87b072347a1ae9cf6983cc8bbf88447e5e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:46:55Z/" } ], "url": "https://github.com/authlib/authlib/commit/867e3f87b072347a1ae9cf6983cc8bbf88447e5e" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403179", "reference_id": "2403179", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403179" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61920", "reference_id": "CVE-2025-61920", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61920" }, { "reference_url": "https://github.com/advisories/GHSA-pq5p-34cr-23v9", "reference_id": "GHSA-pq5p-34cr-23v9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pq5p-34cr-23v9" }, { "reference_url": "https://github.com/authlib/authlib/security/advisories/GHSA-pq5p-34cr-23v9", "reference_id": "GHSA-pq5p-34cr-23v9", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:46:55Z/" } ], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-pq5p-34cr-23v9" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:22182", "reference_id": "RHSA-2025:22182", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:22182" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:22287", "reference_id": "RHSA-2025:22287", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:22287" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23028", "reference_id": "RHSA-2025:23028", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23028" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23059", "reference_id": "RHSA-2025:23059", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23059" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23060", "reference_id": "RHSA-2025:23060", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23060" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23061", "reference_id": "RHSA-2025:23061", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23061" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23064", "reference_id": "RHSA-2025:23064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:23176", "reference_id": "RHSA-2025:23176", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:23176" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4215", "reference_id": "RHSA-2026:4215", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4215" }, { "reference_url": "https://usn.ubuntu.com/8065-1/", "reference_id": "USN-8065-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8065-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49674?format=api", "purl": "pkg:pypi/authlib@1.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wgd-2mpe-tyh3" }, { "vulnerability": "VCID-hrf7-xz6n-efcg" }, { "vulnerability": "VCID-pguz-hqre-77ac" }, { "vulnerability": "VCID-pt7d-e6h5-kbd2" }, { "vulnerability": "VCID-sk4t-73s6-rqg9" }, { "vulnerability": "VCID-z4uj-gecb-1ucd" }, { "vulnerability": "VCID-zafh-nuvx-6fch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.5" } ], "aliases": [ "CVE-2025-61920", "GHSA-pq5p-34cr-23v9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vjhy-tvsd-gbfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64892?format=api", "vulnerability_id": "VCID-zafh-nuvx-6fch", "summary": "authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerability", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27962.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27962.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27962", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.24045", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27962" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27962", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27962" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/authlib/authlib", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/authlib/authlib" }, { "reference_url": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-17T12:43:23Z/" } ], "url": "https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681" }, { "reference_url": "https://github.com/authlib/authlib/releases/tag/v1.6.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-17T12:43:23Z/" } ], "url": "https://github.com/authlib/authlib/releases/tag/v1.6.9" }, { "reference_url": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-17T12:43:23Z/" } ], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27962", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27962" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448164", "reference_id": "2448164", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448164" }, { "reference_url": "https://github.com/advisories/GHSA-wvwj-cvrp-7pv5", "reference_id": "GHSA-wvwj-cvrp-7pv5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wvwj-cvrp-7pv5" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:19375", "reference_id": "RHSA-2026:19375", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:19375" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5665", "reference_id": "RHSA-2026:5665", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5665" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7314", "reference_id": "RHSA-2026:7314", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7314" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49678?format=api", "purl": "pkg:pypi/authlib@1.6.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hrf7-xz6n-efcg" }, { "vulnerability": "VCID-sk4t-73s6-rqg9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.9" } ], "aliases": [ "CVE-2026-27962", "GHSA-wvwj-cvrp-7pv5" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zafh-nuvx-6fch" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.2.1" }