Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/authlib@0.8
Typepypi
Namespace
Nameauthlib
Version0.8
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.6.12
Latest_non_vulnerable_version1.7.1
Affected_by_vulnerabilities
0
url VCID-4wgd-2mpe-tyh3
vulnerability_id VCID-4wgd-2mpe-tyh3
summary authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28498.json
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28498.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28498
reference_id
reference_type
scores
0
value 0.00029
scoring_system epss
scoring_elements 0.0886
published_at 2026-06-09T12:55:00Z
1
value 0.00029
scoring_system epss
scoring_elements 0.08867
published_at 2026-06-05T12:55:00Z
2
value 0.00029
scoring_system epss
scoring_elements 0.08884
published_at 2026-06-06T12:55:00Z
3
value 0.00029
scoring_system epss
scoring_elements 0.08864
published_at 2026-06-07T12:55:00Z
4
value 0.00029
scoring_system epss
scoring_elements 0.08819
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28498
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28498
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28498
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/authlib/authlib
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib
5
reference_url https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:14:21Z/
url https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b
6
reference_url https://github.com/authlib/authlib/releases/tag/v1.6.9
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:14:21Z/
url https://github.com/authlib/authlib/releases/tag/v1.6.9
7
reference_url https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:14:21Z/
url https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28498
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28498
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448182
reference_id 2448182
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448182
10
reference_url https://github.com/advisories/GHSA-m344-f55w-2m6j
reference_id GHSA-m344-f55w-2m6j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m344-f55w-2m6j
11
reference_url https://access.redhat.com/errata/RHSA-2026:6309
reference_id RHSA-2026:6309
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6309
12
reference_url https://access.redhat.com/errata/RHSA-2026:6404
reference_id RHSA-2026:6404
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6404
13
reference_url https://access.redhat.com/errata/RHSA-2026:6497
reference_id RHSA-2026:6497
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6497
14
reference_url https://access.redhat.com/errata/RHSA-2026:6567
reference_id RHSA-2026:6567
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6567
15
reference_url https://access.redhat.com/errata/RHSA-2026:6568
reference_id RHSA-2026:6568
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6568
16
reference_url https://access.redhat.com/errata/RHSA-2026:6720
reference_id RHSA-2026:6720
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6720
17
reference_url https://access.redhat.com/errata/RHSA-2026:6912
reference_id RHSA-2026:6912
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:6912
fixed_packages
0
url pkg:pypi/authlib@1.6.9
purl pkg:pypi/authlib@1.6.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hrf7-xz6n-efcg
1
vulnerability VCID-sk4t-73s6-rqg9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.9
aliases CVE-2026-28498, GHSA-m344-f55w-2m6j
risk_score 4.1
exploitability 0.5
weighted_severity 8.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4wgd-2mpe-tyh3
1
url VCID-f8jg-a3bd-x7ax
vulnerability_id VCID-f8jg-a3bd-x7ax
summary 
Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)
Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (`crit`), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, `bork` or `cnf`) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59420.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59420.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59420
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01363
published_at 2026-06-05T12:55:00Z
1
value 0.00011
scoring_system epss
scoring_elements 0.01366
published_at 2026-06-07T12:55:00Z
2
value 0.00011
scoring_system epss
scoring_elements 0.01367
published_at 2026-06-06T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.03067
published_at 2026-06-09T12:55:00Z
4
value 0.00015
scoring_system epss
scoring_elements 0.03101
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59420
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59420
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59420
3
reference_url https://github.com/authlib/authlib
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib
4
reference_url https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-22T18:04:06Z/
url https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df
5
reference_url https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2397460
reference_id 2397460
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2397460
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59420
reference_id CVE-2025-59420
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59420
8
reference_url https://github.com/advisories/GHSA-9ggr-2464-2j32
reference_id GHSA-9ggr-2464-2j32
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9ggr-2464-2j32
9
reference_url https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32
reference_id GHSA-9ggr-2464-2j32
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-22T18:04:06Z/
url https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32
10
reference_url https://access.redhat.com/errata/RHSA-2025:22182
reference_id RHSA-2025:22182
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:22182
11
reference_url https://access.redhat.com/errata/RHSA-2025:22287
reference_id RHSA-2025:22287
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:22287
12
reference_url https://access.redhat.com/errata/RHSA-2025:23028
reference_id RHSA-2025:23028
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23028
13
reference_url https://access.redhat.com/errata/RHSA-2025:23059
reference_id RHSA-2025:23059
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23059
14
reference_url https://access.redhat.com/errata/RHSA-2025:23060
reference_id RHSA-2025:23060
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23060
15
reference_url https://access.redhat.com/errata/RHSA-2025:23061
reference_id RHSA-2025:23061
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23061
16
reference_url https://access.redhat.com/errata/RHSA-2025:23064
reference_id RHSA-2025:23064
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23064
17
reference_url https://access.redhat.com/errata/RHSA-2025:23176
reference_id RHSA-2025:23176
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23176
18
reference_url https://access.redhat.com/errata/RHSA-2026:1942
reference_id RHSA-2026:1942
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1942
19
reference_url https://access.redhat.com/errata/RHSA-2026:4215
reference_id RHSA-2026:4215
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:4215
20
reference_url https://usn.ubuntu.com/8065-1/
reference_id USN-8065-1
reference_type
scores
url https://usn.ubuntu.com/8065-1/
fixed_packages
0
url pkg:pypi/authlib@1.6.4
purl pkg:pypi/authlib@1.6.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4wgd-2mpe-tyh3
1
vulnerability VCID-hrf7-xz6n-efcg
2
vulnerability VCID-pguz-hqre-77ac
3
vulnerability VCID-pt7d-e6h5-kbd2
4
vulnerability VCID-sk4t-73s6-rqg9
5
vulnerability VCID-sp9r-m79r-ryd5
6
vulnerability VCID-vjhy-tvsd-gbfm
7
vulnerability VCID-zafh-nuvx-6fch
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.4
aliases CVE-2025-59420, GHSA-9ggr-2464-2j32
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f8jg-a3bd-x7ax
2
url VCID-hrf7-xz6n-efcg
vulnerability_id VCID-hrf7-xz6n-efcg
summary Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41425.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41425.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41425
reference_id
reference_type
scores
0
value 0.00023
scoring_system epss
scoring_elements 0.06576
published_at 2026-06-09T12:55:00Z
1
value 0.00023
scoring_system epss
scoring_elements 0.06575
published_at 2026-06-08T12:55:00Z
2
value 0.00023
scoring_system epss
scoring_elements 0.06617
published_at 2026-06-07T12:55:00Z
3
value 0.00023
scoring_system epss
scoring_elements 0.0663
published_at 2026-06-05T12:55:00Z
4
value 0.00023
scoring_system epss
scoring_elements 0.06629
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41425
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/authlib/authlib
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib
4
reference_url https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-27T13:09:15Z/
url https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2026-25.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2026-25.yaml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41425
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41425
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2461690
reference_id 2461690
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2461690
8
reference_url https://github.com/advisories/GHSA-jj8c-mmj3-mmgv
reference_id GHSA-jj8c-mmj3-mmgv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jj8c-mmj3-mmgv
fixed_packages
0
url pkg:pypi/authlib@1.6.11
purl pkg:pypi/authlib@1.6.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-sk4t-73s6-rqg9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.11
aliases CVE-2026-41425, GHSA-jj8c-mmj3-mmgv, PYSEC-2026-25
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hrf7-xz6n-efcg
3
url VCID-pt7d-e6h5-kbd2
vulnerability_id VCID-pt7d-e6h5-kbd2
summary authlib: Authlib: Information disclosure due to cryptographic padding oracle in JWE RSA1_5
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28490.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28490.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28490
reference_id
reference_type
scores
0
value 0.00016
scoring_system epss
scoring_elements 0.03787
published_at 2026-06-09T12:55:00Z
1
value 0.00016
scoring_system epss
scoring_elements 0.03807
published_at 2026-06-05T12:55:00Z
2
value 0.00016
scoring_system epss
scoring_elements 0.03808
published_at 2026-06-06T12:55:00Z
3
value 0.00016
scoring_system epss
scoring_elements 0.03796
published_at 2026-06-07T12:55:00Z
4
value 0.00016
scoring_system epss
scoring_elements 0.03774
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28490
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28490
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28490
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/authlib/authlib
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib
5
reference_url https://github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:17:04Z/
url https://github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22
6
reference_url https://github.com/authlib/authlib/releases/tag/v1.6.9
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:17:04Z/
url https://github.com/authlib/authlib/releases/tag/v1.6.9
7
reference_url https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-16T18:17:04Z/
url https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28490
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28490
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448162
reference_id 2448162
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448162
10
reference_url https://github.com/advisories/GHSA-7432-952r-cw78
reference_id GHSA-7432-952r-cw78
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7432-952r-cw78
fixed_packages
0
url pkg:pypi/authlib@1.6.9
purl pkg:pypi/authlib@1.6.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hrf7-xz6n-efcg
1
vulnerability VCID-sk4t-73s6-rqg9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.9
aliases CVE-2026-28490, GHSA-7432-952r-cw78
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pt7d-e6h5-kbd2
4
url VCID-sk4t-73s6-rqg9
vulnerability_id VCID-sk4t-73s6-rqg9
summary Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44681
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.12255
published_at 2026-06-09T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12365
published_at 2026-06-05T12:55:00Z
2
value 0.0004
scoring_system epss
scoring_elements 0.12364
published_at 2026-06-06T12:55:00Z
3
value 0.0004
scoring_system epss
scoring_elements 0.12329
published_at 2026-06-07T12:55:00Z
4
value 0.0004
scoring_system epss
scoring_elements 0.12247
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44681
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44681
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44681
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/authlib/authlib
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib
4
reference_url https://github.com/authlib/authlib/releases/tag/v1.6.12
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib/releases/tag/v1.6.12
5
reference_url https://github.com/authlib/authlib/releases/tag/v1.7.1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib/releases/tag/v1.7.1
6
reference_url https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T16:56:23Z/
url https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2
7
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2026-188.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2026-188.yaml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44681
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44681
9
reference_url https://github.com/advisories/GHSA-r95x-qfjj-fjj2
reference_id GHSA-r95x-qfjj-fjj2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r95x-qfjj-fjj2
fixed_packages
0
url pkg:pypi/authlib@1.6.12
purl pkg:pypi/authlib@1.6.12
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.12
1
url pkg:pypi/authlib@1.7.1
purl pkg:pypi/authlib@1.7.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.7.1
aliases CVE-2026-44681, GHSA-r95x-qfjj-fjj2, PYSEC-2026-188
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sk4t-73s6-rqg9
5
url VCID-sp9r-m79r-ryd5
vulnerability_id VCID-sp9r-m79r-ryd5
summary 
Authlib : JWE zip=DEF decompression bomb enables DoS
_Authlib’s JWE `zip=DEF` path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service._
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62706.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62706.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-62706
reference_id
reference_type
scores
0
value 0.00137
scoring_system epss
scoring_elements 0.3334
published_at 2026-06-09T12:55:00Z
1
value 0.00137
scoring_system epss
scoring_elements 0.33374
published_at 2026-06-05T12:55:00Z
2
value 0.00137
scoring_system epss
scoring_elements 0.33389
published_at 2026-06-06T12:55:00Z
3
value 0.00137
scoring_system epss
scoring_elements 0.33353
published_at 2026-06-07T12:55:00Z
4
value 0.00137
scoring_system epss
scoring_elements 0.33319
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-62706
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62706
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62706
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/authlib/authlib
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib
5
reference_url https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d
6
reference_url https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2405946
reference_id 2405946
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2405946
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-62706
reference_id CVE-2025-62706
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-62706
9
reference_url https://github.com/advisories/GHSA-g7f3-828f-7h7m
reference_id GHSA-g7f3-828f-7h7m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g7f3-828f-7h7m
10
reference_url https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m
reference_id GHSA-g7f3-828f-7h7m
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m
11
reference_url https://access.redhat.com/errata/RHSA-2026:0629
reference_id RHSA-2026:0629
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:0629
12
reference_url https://access.redhat.com/errata/RHSA-2026:1596
reference_id RHSA-2026:1596
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:1596
13
reference_url https://usn.ubuntu.com/8065-1/
reference_id USN-8065-1
reference_type
scores
url https://usn.ubuntu.com/8065-1/
fixed_packages
0
url pkg:pypi/authlib@1.6.5
purl pkg:pypi/authlib@1.6.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4wgd-2mpe-tyh3
1
vulnerability VCID-hrf7-xz6n-efcg
2
vulnerability VCID-pguz-hqre-77ac
3
vulnerability VCID-pt7d-e6h5-kbd2
4
vulnerability VCID-sk4t-73s6-rqg9
5
vulnerability VCID-z4uj-gecb-1ucd
6
vulnerability VCID-zafh-nuvx-6fch
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.5
aliases CVE-2025-62706, GHSA-g7f3-828f-7h7m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sp9r-m79r-ryd5
6
url VCID-tk6q-528z-rye4
vulnerability_id VCID-tk6q-528z-rye4
summary lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-37568
reference_id
reference_type
scores
0
value 0.00145
scoring_system epss
scoring_elements 0.34586
published_at 2026-06-08T12:55:00Z
1
value 0.00145
scoring_system epss
scoring_elements 0.34605
published_at 2026-06-09T12:55:00Z
2
value 0.00145
scoring_system epss
scoring_elements 0.3464
published_at 2026-06-05T12:55:00Z
3
value 0.00145
scoring_system epss
scoring_elements 0.34656
published_at 2026-06-06T12:55:00Z
4
value 0.00145
scoring_system epss
scoring_elements 0.3462
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-37568
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37568
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37568
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/lepture/authlib
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/lepture/authlib
4
reference_url https://github.com/lepture/authlib/issues/654
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-15T15:15:48Z/
url https://github.com/lepture/authlib/issues/654
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2024-52.yaml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2024-52.yaml
6
reference_url https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU
9
reference_url https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-lepture-authlib-cve-2024-37568
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-15T15:15:48Z/
url https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-lepture-authlib-cve-2024-37568
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-37568
reference_id CVE-2024-37568
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-37568
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5/
reference_id FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-15T15:15:48Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5/
12
reference_url https://github.com/advisories/GHSA-5357-c2jx-v7qh
reference_id GHSA-5357-c2jx-v7qh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5357-c2jx-v7qh
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU/
reference_id IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-15T15:15:48Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU/
14
reference_url https://usn.ubuntu.com/8065-1/
reference_id USN-8065-1
reference_type
scores
url https://usn.ubuntu.com/8065-1/
fixed_packages
0
url pkg:pypi/authlib@1.3.1
purl pkg:pypi/authlib@1.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4wgd-2mpe-tyh3
1
vulnerability VCID-f8jg-a3bd-x7ax
2
vulnerability VCID-hrf7-xz6n-efcg
3
vulnerability VCID-pguz-hqre-77ac
4
vulnerability VCID-pt7d-e6h5-kbd2
5
vulnerability VCID-sk4t-73s6-rqg9
6
vulnerability VCID-sp9r-m79r-ryd5
7
vulnerability VCID-vjhy-tvsd-gbfm
8
vulnerability VCID-zafh-nuvx-6fch
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.3.1
aliases CVE-2024-37568, GHSA-5357-c2jx-v7qh, PYSEC-2024-52
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tk6q-528z-rye4
7
url VCID-vjhy-tvsd-gbfm
vulnerability_id VCID-vjhy-tvsd-gbfm
summary 
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments
**Summary**
Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service.

**Impact**

- Attack vector: unauthenticated network attacker submits a malicious JWS/JWT.

- Effect: base64 decode + JSON/crypto processing of huge buffers pegs CPU and allocates large amounts of RAM; a single request can exhaust service capacity.

- Observed behaviour: on a test host, the legacy code verified a 500 MB header, consuming ~4 GB RSS and ~9 s CPU before failing.

- Severity: High. CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5).

Affected Versions
Authlib ≤ 1.6.3 (and earlier) when verifying JWS/JWT tokens. Later snapshots with 256 KB header/signature limits are not affected.

**Proof of concept**
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61920.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61920.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61920
reference_id
reference_type
scores
0
value 0.00424
scoring_system epss
scoring_elements 0.6255
published_at 2026-06-08T12:55:00Z
1
value 0.00424
scoring_system epss
scoring_elements 0.62565
published_at 2026-06-05T12:55:00Z
2
value 0.00424
scoring_system epss
scoring_elements 0.62573
published_at 2026-06-06T12:55:00Z
3
value 0.00424
scoring_system epss
scoring_elements 0.62564
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61920
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61920
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61920
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/authlib/authlib
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib
5
reference_url https://github.com/authlib/authlib/commit/867e3f87b072347a1ae9cf6983cc8bbf88447e5e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:46:55Z/
url https://github.com/authlib/authlib/commit/867e3f87b072347a1ae9cf6983cc8bbf88447e5e
6
reference_url https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403179
reference_id 2403179
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403179
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61920
reference_id CVE-2025-61920
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61920
9
reference_url https://github.com/advisories/GHSA-pq5p-34cr-23v9
reference_id GHSA-pq5p-34cr-23v9
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pq5p-34cr-23v9
10
reference_url https://github.com/authlib/authlib/security/advisories/GHSA-pq5p-34cr-23v9
reference_id GHSA-pq5p-34cr-23v9
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:46:55Z/
url https://github.com/authlib/authlib/security/advisories/GHSA-pq5p-34cr-23v9
11
reference_url https://access.redhat.com/errata/RHSA-2025:22182
reference_id RHSA-2025:22182
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:22182
12
reference_url https://access.redhat.com/errata/RHSA-2025:22287
reference_id RHSA-2025:22287
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:22287
13
reference_url https://access.redhat.com/errata/RHSA-2025:23028
reference_id RHSA-2025:23028
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23028
14
reference_url https://access.redhat.com/errata/RHSA-2025:23059
reference_id RHSA-2025:23059
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23059
15
reference_url https://access.redhat.com/errata/RHSA-2025:23060
reference_id RHSA-2025:23060
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23060
16
reference_url https://access.redhat.com/errata/RHSA-2025:23061
reference_id RHSA-2025:23061
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23061
17
reference_url https://access.redhat.com/errata/RHSA-2025:23064
reference_id RHSA-2025:23064
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23064
18
reference_url https://access.redhat.com/errata/RHSA-2025:23176
reference_id RHSA-2025:23176
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23176
19
reference_url https://access.redhat.com/errata/RHSA-2026:4215
reference_id RHSA-2026:4215
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:4215
20
reference_url https://usn.ubuntu.com/8065-1/
reference_id USN-8065-1
reference_type
scores
url https://usn.ubuntu.com/8065-1/
fixed_packages
0
url pkg:pypi/authlib@1.6.5
purl pkg:pypi/authlib@1.6.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4wgd-2mpe-tyh3
1
vulnerability VCID-hrf7-xz6n-efcg
2
vulnerability VCID-pguz-hqre-77ac
3
vulnerability VCID-pt7d-e6h5-kbd2
4
vulnerability VCID-sk4t-73s6-rqg9
5
vulnerability VCID-z4uj-gecb-1ucd
6
vulnerability VCID-zafh-nuvx-6fch
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.5
aliases CVE-2025-61920, GHSA-pq5p-34cr-23v9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vjhy-tvsd-gbfm
8
url VCID-zafh-nuvx-6fch
vulnerability_id VCID-zafh-nuvx-6fch
summary authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerability
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27962.json
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27962.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27962
reference_id
reference_type
scores
0
value 0.00081
scoring_system epss
scoring_elements 0.23922
published_at 2026-06-09T12:55:00Z
1
value 0.00081
scoring_system epss
scoring_elements 0.24045
published_at 2026-06-05T12:55:00Z
2
value 0.00081
scoring_system epss
scoring_elements 0.24028
published_at 2026-06-06T12:55:00Z
3
value 0.00081
scoring_system epss
scoring_elements 0.23974
published_at 2026-06-07T12:55:00Z
4
value 0.00081
scoring_system epss
scoring_elements 0.23916
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27962
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27962
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27962
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/authlib/authlib
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/authlib/authlib
5
reference_url https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-17T12:43:23Z/
url https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681
6
reference_url https://github.com/authlib/authlib/releases/tag/v1.6.9
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-17T12:43:23Z/
url https://github.com/authlib/authlib/releases/tag/v1.6.9
7
reference_url https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-17T12:43:23Z/
url https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27962
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27962
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448164
reference_id 2448164
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448164
10
reference_url https://github.com/advisories/GHSA-wvwj-cvrp-7pv5
reference_id GHSA-wvwj-cvrp-7pv5
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wvwj-cvrp-7pv5
11
reference_url https://access.redhat.com/errata/RHSA-2026:19375
reference_id RHSA-2026:19375
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:19375
12
reference_url https://access.redhat.com/errata/RHSA-2026:5665
reference_id RHSA-2026:5665
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:5665
13
reference_url https://access.redhat.com/errata/RHSA-2026:7314
reference_id RHSA-2026:7314
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7314
fixed_packages
0
url pkg:pypi/authlib@1.6.9
purl pkg:pypi/authlib@1.6.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hrf7-xz6n-efcg
1
vulnerability VCID-sk4t-73s6-rqg9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.9
aliases CVE-2026-27962, GHSA-wvwj-cvrp-7pv5
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zafh-nuvx-6fch
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/authlib@0.8