VulnerableCode Package Details - pkg:deb/debian/python-authlib@1.6.0-1%2Bdeb13u1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:deb/debian/python-authlib@1.6.0-1%2Bdeb13u1

Essentials
History (6)

purl	pkg:deb/debian/python-authlib@1.6.0-1%2Bdeb13u1

Next non-vulnerable version	1.7.2-1
Latest non-vulnerable version	1.7.2-1
Risk	4.5

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-4wgd-2mpe-tyh3 Aliases: CVE-2026-28498 GHSA-m344-f55w-2m6j	authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens	1.7.2-1 Affected by 0 other vulnerabilities.
VCID-hrf7-xz6n-efcg Aliases: CVE-2026-41425 GHSA-jj8c-mmj3-mmgv PYSEC-2026-25	Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.	1.7.2-1 Affected by 0 other vulnerabilities.
VCID-pt7d-e6h5-kbd2 Aliases: CVE-2026-28490 GHSA-7432-952r-cw78	authlib: Authlib: Information disclosure due to cryptographic padding oracle in JWE RSA1_5	1.7.2-1 Affected by 0 other vulnerabilities.
VCID-sk4t-73s6-rqg9 Aliases: CVE-2026-44681 GHSA-r95x-qfjj-fjj2 PYSEC-2026-188	Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.	1.7.2-1 Affected by 0 other vulnerabilities.
VCID-z4uj-gecb-1ucd Aliases: CVE-2026-28802 GHSA-7wc2-qxgw-g8gg	Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.5) it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.	1.7.2-1 Affected by 0 other vulnerabilities.
VCID-zafh-nuvx-6fch Aliases: CVE-2026-27962 GHSA-wvwj-cvrp-7pv5	authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerability	1.7.2-1 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T20:19:55.067622+00:00	Debian Importer	Affected by	VCID-4wgd-2mpe-tyh3	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T20:17:35.415578+00:00	Debian Importer	Affected by	VCID-pt7d-e6h5-kbd2	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:44:45.323787+00:00	Debian Importer	Affected by	VCID-sk4t-73s6-rqg9	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:20:54.369091+00:00	Debian Importer	Affected by	VCID-zafh-nuvx-6fch	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:04:31.810827+00:00	Debian Importer	Affected by	VCID-hrf7-xz6n-efcg	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-04T19:39:35.867778+00:00	Debian Importer	Affected by	VCID-z4uj-gecb-1ucd	https://security-tracker.debian.org/tracker/data/json	38.6.0