VulnerableCode Package Details - pkg:pypi/authlib@1.6.7

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:pypi/authlib@1.6.7

Essentials
History (2)

purl	pkg:pypi/authlib@1.6.7

Next non-vulnerable version	1.6.11
Latest non-vulnerable version	1.6.11
Risk

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-hrf7-xz6n-efcg Aliases: CVE-2026-41425 GHSA-jj8c-mmj3-mmgv PYSEC-2026-25	Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.	1.6.11 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-z4uj-gecb-1ucd	Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.5) it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.	CVE-2026-28802 GHSA-7wc2-qxgw-g8gg

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:51:20.110126+00:00	GitLab Importer	Fixing	VCID-z4uj-gecb-1ucd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/authlib/CVE-2026-28802.yml	38.6.0
2026-06-02T04:24:54.825191+00:00	Pypa Importer	Affected by	VCID-hrf7-xz6n-efcg	https://github.com/pypa/advisory-database/blob/main/vulns/authlib/PYSEC-2026-25.yaml	38.6.0