Search for packages
| purl | pkg:pypi/authlib@0.1rc0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-hrf7-xz6n-efcg
Aliases: CVE-2026-41425 GHSA-jj8c-mmj3-mmgv PYSEC-2026-25 |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11. |
Affected by 1 other vulnerability. |
|
VCID-sk4t-73s6-rqg9
Aliases: CVE-2026-44681 GHSA-r95x-qfjj-fjj2 PYSEC-2026-188 |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-tk6q-528z-rye4
Aliases: CVE-2024-37568 GHSA-5357-c2jx-v7qh PYSEC-2024-52 |
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.) |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||