Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/python-authlib@1.7.2-1?distro=trixie
purl pkg:deb/debian/python-authlib@1.7.2-1?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (11)
Vulnerability Summary Aliases
VCID-4wgd-2mpe-tyh3 authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens CVE-2026-28498
GHSA-m344-f55w-2m6j
VCID-f8jg-a3bd-x7ax Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (`crit`), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, `bork` or `cnf`) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. CVE-2025-59420
GHSA-9ggr-2464-2j32
VCID-hrf7-xz6n-efcg Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11. CVE-2026-41425
GHSA-jj8c-mmj3-mmgv
PYSEC-2026-25
VCID-pguz-hqre-77ac Authlib has 1-click Account Takeover vulnerability Cache-backed state/request-token storage is not tied to the initiating user session, making CSRF possible for any attacker that possesses a valid state value (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, `FrameworkIntegration.set_state_data` writes the entire state blob under `_state_{app}_{state}`, and `get_state_data` disregards the caller's session entirely. [1][2] ```py def _get_cache_data(self, key): value = self.cache.get(key) if not value: return None try: return json.loads(value) except (TypeError, ValueError): return None [snip] def get_state_data(self, session, state): key = f"_state_{self.name}_{state}" if self.cache: value = self._get_cache_data(key) else: value = session.get(key) if value: return value.get("data") return None ``` *authlib/integrations/base_client/framework_integration.py:12-41* Retrieval in `authorize_access_token` therefore succeeds for whichever browser presents that opaque value, and the token exchange proceeds with the attacker's authorization code. [3] ```py def authorize_access_token(self, **kwargs): """Fetch access token in one step. :return: A token dict. """ params = request.args.to_dict(flat=True) state = params.get("oauth_token") if not state: raise OAuthError(description='Missing "oauth_token" parameter') data = self.framework.get_state_data(session, state) if not data: raise OAuthError(description='Missing "request_token" in temporary data') params["request_token"] = data["request_token"] params.update(kwargs) self.framework.clear_state_data(session, state) token = self.fetch_access_token(**params) self.token = token return token ``` *authlib/integrations/flask_client/apps.py:57-76* This opens up an avenue for Login CSRF in applications that use cache-backed storage. Depending on the dependent application's implementation (e.g., whether it links accounts in the event of a login CSRF), this could lead to account takeover. CVE-2025-68158
GHSA-fg6f-75jq-6523
VCID-pt7d-e6h5-kbd2 authlib: Authlib: Information disclosure due to cryptographic padding oracle in JWE RSA1_5 CVE-2026-28490
GHSA-7432-952r-cw78
VCID-sk4t-73s6-rqg9 Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1. CVE-2026-44681
GHSA-r95x-qfjj-fjj2
PYSEC-2026-188
VCID-sp9r-m79r-ryd5 Authlib : JWE zip=DEF decompression bomb enables DoS _Authlib’s JWE `zip=DEF` path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service._ CVE-2025-62706
GHSA-g7f3-828f-7h7m
VCID-tk6q-528z-rye4 lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.) CVE-2024-37568
GHSA-5357-c2jx-v7qh
PYSEC-2024-52
VCID-vjhy-tvsd-gbfm Authlib is vulnerable to Denial of Service via Oversized JOSE Segments **Summary** Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service. **Impact** - Attack vector: unauthenticated network attacker submits a malicious JWS/JWT. - Effect: base64 decode + JSON/crypto processing of huge buffers pegs CPU and allocates large amounts of RAM; a single request can exhaust service capacity. - Observed behaviour: on a test host, the legacy code verified a 500 MB header, consuming ~4 GB RSS and ~9 s CPU before failing. - Severity: High. CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5). Affected Versions Authlib ≤ 1.6.3 (and earlier) when verifying JWS/JWT tokens. Later snapshots with 256 KB header/signature limits are not affected. **Proof of concept** CVE-2025-61920
GHSA-pq5p-34cr-23v9
VCID-z4uj-gecb-1ucd Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.5) it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected. CVE-2026-28802
GHSA-7wc2-qxgw-g8gg
VCID-zafh-nuvx-6fch authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerability CVE-2026-27962
GHSA-wvwj-cvrp-7pv5

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T17:08:10.878747+00:00 Debian Importer Fixing VCID-sk4t-73s6-rqg9 https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T17:08:10.836361+00:00 Debian Importer Fixing VCID-hrf7-xz6n-efcg https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T17:08:10.776046+00:00 Debian Importer Fixing VCID-z4uj-gecb-1ucd https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T17:08:10.715313+00:00 Debian Importer Fixing VCID-4wgd-2mpe-tyh3 https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T17:08:10.649971+00:00 Debian Importer Fixing VCID-pt7d-e6h5-kbd2 https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T17:08:10.583854+00:00 Debian Importer Fixing VCID-zafh-nuvx-6fch https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T17:08:10.508051+00:00 Debian Importer Fixing VCID-pguz-hqre-77ac https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T17:08:10.462975+00:00 Debian Importer Fixing VCID-sp9r-m79r-ryd5 https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T17:08:10.411856+00:00 Debian Importer Fixing VCID-vjhy-tvsd-gbfm https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T17:08:10.361566+00:00 Debian Importer Fixing VCID-f8jg-a3bd-x7ax https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-06-04T17:08:10.305485+00:00 Debian Importer Fixing VCID-tk6q-528z-rye4 https://security-tracker.debian.org/tracker/data/json 38.6.0