VulnerableCode Package Details - pkg:deb/debian/python-authlib@1.7.2-1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4wgd-2mpe-tyh3	authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens	CVE-2026-28498 GHSA-m344-f55w-2m6j
VCID-hrf7-xz6n-efcg	Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.	CVE-2026-41425 GHSA-jj8c-mmj3-mmgv PYSEC-2026-25
VCID-pt7d-e6h5-kbd2	authlib: Authlib: Information disclosure due to cryptographic padding oracle in JWE RSA1_5	CVE-2026-28490 GHSA-7432-952r-cw78
VCID-sk4t-73s6-rqg9	Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.	CVE-2026-44681 GHSA-r95x-qfjj-fjj2 PYSEC-2026-188
VCID-z4uj-gecb-1ucd	Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.5) it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.	CVE-2026-28802 GHSA-7wc2-qxgw-g8gg
VCID-zafh-nuvx-6fch	authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerability	CVE-2026-27962 GHSA-wvwj-cvrp-7pv5

Vulnerability

Summary

Aliases

VCID-4wgd-2mpe-tyh3

authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens

CVE-2026-28498
GHSA-m344-f55w-2m6j

VCID-hrf7-xz6n-efcg

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

CVE-2026-41425
GHSA-jj8c-mmj3-mmgv
PYSEC-2026-25

VCID-pt7d-e6h5-kbd2

authlib: Authlib: Information disclosure due to cryptographic padding oracle in JWE RSA1_5

CVE-2026-28490
GHSA-7432-952r-cw78

VCID-sk4t-73s6-rqg9

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.

CVE-2026-44681
GHSA-r95x-qfjj-fjj2
PYSEC-2026-188

VCID-z4uj-gecb-1ucd

Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.5) it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.

CVE-2026-28802
GHSA-7wc2-qxgw-g8gg

VCID-zafh-nuvx-6fch

authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerability

CVE-2026-27962
GHSA-wvwj-cvrp-7pv5

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T20:19:55.071745+00:00	Debian Importer	Fixing	VCID-4wgd-2mpe-tyh3	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T20:17:35.419441+00:00	Debian Importer	Fixing	VCID-pt7d-e6h5-kbd2	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:44:45.328046+00:00	Debian Importer	Fixing	VCID-sk4t-73s6-rqg9	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:20:54.373397+00:00	Debian Importer	Fixing	VCID-zafh-nuvx-6fch	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:04:31.814870+00:00	Debian Importer	Fixing	VCID-hrf7-xz6n-efcg	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-04T19:39:35.869781+00:00	Debian Importer	Fixing	VCID-z4uj-gecb-1ucd	https://security-tracker.debian.org/tracker/data/json	38.6.0