VulnerableCode Package Details - pkg:pypi/authlib@1.6.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-4wgd-2mpe-tyh3 Aliases: CVE-2026-28498 GHSA-m344-f55w-2m6j	authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens	1.6.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hrf7-xz6n-efcg Aliases: CVE-2026-41425 GHSA-jj8c-mmj3-mmgv PYSEC-2026-25	Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.	1.6.11 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-pt7d-e6h5-kbd2 Aliases: CVE-2026-28490 GHSA-7432-952r-cw78	authlib: Authlib: Information disclosure due to cryptographic padding oracle in JWE RSA1_5	1.6.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-sk4t-73s6-rqg9 Aliases: CVE-2026-44681 GHSA-r95x-qfjj-fjj2 PYSEC-2026-188	Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.	1.6.12 Affected by 0 other vulnerabilities. 1.7.1 Affected by 0 other vulnerabilities.
VCID-z4uj-gecb-1ucd Aliases: CVE-2026-28802 GHSA-7wc2-qxgw-g8gg	Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.5) it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.	1.6.7 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zafh-nuvx-6fch Aliases: CVE-2026-27962 GHSA-wvwj-cvrp-7pv5	authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerability	1.6.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-4wgd-2mpe-tyh3
Aliases:
CVE-2026-28498
GHSA-m344-f55w-2m6j

authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens

1.6.9
Affected by 2 other vulnerabilities.

VCID-hrf7-xz6n-efcg
Aliases:
CVE-2026-41425
GHSA-jj8c-mmj3-mmgv
PYSEC-2026-25

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

1.6.11
Affected by 1 other vulnerability.

VCID-pt7d-e6h5-kbd2
Aliases:
CVE-2026-28490
GHSA-7432-952r-cw78

authlib: Authlib: Information disclosure due to cryptographic padding oracle in JWE RSA1_5

1.6.9
Affected by 2 other vulnerabilities.

VCID-sk4t-73s6-rqg9
Aliases:
CVE-2026-44681
GHSA-r95x-qfjj-fjj2
PYSEC-2026-188

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.

1.6.12
Affected by 0 other vulnerabilities.

1.7.1
Affected by 0 other vulnerabilities.

VCID-z4uj-gecb-1ucd
Aliases:
CVE-2026-28802
GHSA-7wc2-qxgw-g8gg

Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.5) it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.

1.6.7
Affected by 5 other vulnerabilities.

VCID-zafh-nuvx-6fch
Aliases:
CVE-2026-27962
GHSA-wvwj-cvrp-7pv5

authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerability

1.6.9
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-pguz-hqre-77ac	Authlib has 1-click Account Takeover vulnerability Cache-backed state/request-token storage is not tied to the initiating user session, making CSRF possible for any attacker that possesses a valid state value (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, `FrameworkIntegration.set_state_data` writes the entire state blob under `_state_{app}_{state}`, and `get_state_data` disregards the caller's session entirely. [1][2] ```py def _get_cache_data(self, key): value = self.cache.get(key) if not value: return None try: return json.loads(value) except (TypeError, ValueError): return None [snip] def get_state_data(self, session, state): key = f"_state_{self.name}_{state}" if self.cache: value = self._get_cache_data(key) else: value = session.get(key) if value: return value.get("data") return None ``` authlib/integrations/base_client/framework_integration.py:12-41 Retrieval in `authorize_access_token` therefore succeeds for whichever browser presents that opaque value, and the token exchange proceeds with the attacker's authorization code. [3] ```py def authorize_access_token(self, kwargs): """Fetch access token in one step. :return: A token dict. """ params = request.args.to_dict(flat=True) state = params.get("oauth_token") if not state: raise OAuthError(description='Missing "oauth_token" parameter') data = self.framework.get_state_data(session, state) if not data: raise OAuthError(description='Missing "request_token" in temporary data') params["request_token"] = data["request_token"] params.update(kwargs) self.framework.clear_state_data(session, state) token = self.fetch_access_token(params) self.token = token return token ``` authlib/integrations/flask_client/apps.py:57-76 This opens up an avenue for Login CSRF in applications that use cache-backed storage. Depending on the dependent application's implementation (e.g., whether it links accounts in the event of a login CSRF), this could lead to account takeover.	CVE-2025-68158 GHSA-fg6f-75jq-6523

Vulnerability

Summary

Aliases

VCID-pguz-hqre-77ac

Authlib has 1-click Account Takeover vulnerability Cache-backed state/request-token storage is not tied to the initiating user session, making CSRF possible for any attacker that possesses a valid state value (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, `FrameworkIntegration.set_state_data` writes the entire state blob under `_state_{app}_{state}`, and `get_state_data` disregards the caller's session entirely. [1][2] ```py def _get_cache_data(self, key): value = self.cache.get(key) if not value: return None try: return json.loads(value) except (TypeError, ValueError): return None [snip] def get_state_data(self, session, state): key = f"_state_{self.name}_{state}" if self.cache: value = self._get_cache_data(key) else: value = session.get(key) if value: return value.get("data") return None ``` *authlib/integrations/base_client/framework_integration.py:12-41* Retrieval in `authorize_access_token` therefore succeeds for whichever browser presents that opaque value, and the token exchange proceeds with the attacker's authorization code. [3] ```py def authorize_access_token(self, **kwargs): """Fetch access token in one step. :return: A token dict. """ params = request.args.to_dict(flat=True) state = params.get("oauth_token") if not state: raise OAuthError(description='Missing "oauth_token" parameter') data = self.framework.get_state_data(session, state) if not data: raise OAuthError(description='Missing "request_token" in temporary data') params["request_token"] = data["request_token"] params.update(kwargs) self.framework.clear_state_data(session, state) token = self.fetch_access_token(**params) self.token = token return token ``` *authlib/integrations/flask_client/apps.py:57-76* This opens up an avenue for Login CSRF in applications that use cache-backed storage. Depending on the dependent application's implementation (e.g., whether it links accounts in the event of a login CSRF), this could lead to account takeover.

CVE-2025-68158
GHSA-fg6f-75jq-6523

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:08:03.552973+00:00	GitLab Importer	Affected by	VCID-hrf7-xz6n-efcg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/authlib/CVE-2026-41425.yml	38.6.0
2026-06-06T08:07:22.193196+00:00	GitLab Importer	Affected by	VCID-hrf7-xz6n-efcg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/authlib/GHSA-jj8c-mmj3-mmgv.yml	38.6.0
2026-06-06T07:27:46.587482+00:00	GitLab Importer	Affected by	VCID-zafh-nuvx-6fch	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/authlib/CVE-2026-27962.yml	38.6.0
2026-06-06T07:27:43.281287+00:00	GitLab Importer	Affected by	VCID-pt7d-e6h5-kbd2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/authlib/CVE-2026-28490.yml	38.6.0
2026-06-06T07:27:38.160040+00:00	GitLab Importer	Affected by	VCID-4wgd-2mpe-tyh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/authlib/CVE-2026-28498.yml	38.6.0
2026-06-06T07:12:50.901249+00:00	GitLab Importer	Affected by	VCID-z4uj-gecb-1ucd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/authlib/CVE-2026-28802.yml	38.6.0
2026-06-05T22:02:59.556840+00:00	GHSA Importer	Affected by	VCID-z4uj-gecb-1ucd	https://github.com/advisories/GHSA-7wc2-qxgw-g8gg	38.6.0
2026-06-05T21:56:05.812278+00:00	GHSA Importer	Fixing	VCID-pguz-hqre-77ac	https://github.com/advisories/GHSA-fg6f-75jq-6523	38.6.0
2026-06-05T17:05:35.649694+00:00	PyPI Importer	Affected by	VCID-sk4t-73s6-rqg9	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-05T17:05:22.522821+00:00	PyPI Importer	Affected by	VCID-hrf7-xz6n-efcg	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-04T16:54:19.090165+00:00	GithubOSV Importer	Fixing	VCID-pguz-hqre-77ac	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-fg6f-75jq-6523/GHSA-fg6f-75jq-6523.json	38.6.0
2026-06-04T16:14:39.862293+00:00	Pypa Importer	Affected by	VCID-sk4t-73s6-rqg9	https://github.com/pypa/advisory-database/blob/main/vulns/authlib/PYSEC-2026-188.yaml	38.6.0
2026-06-02T04:49:25.139590+00:00	GitLab Importer	Fixing	VCID-pguz-hqre-77ac	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/authlib/CVE-2025-68158.yml	38.6.0
2026-06-02T04:24:54.820349+00:00	Pypa Importer	Affected by	VCID-hrf7-xz6n-efcg	https://github.com/pypa/advisory-database/blob/main/vulns/authlib/PYSEC-2026-25.yaml	38.6.0