Authlib

Authlib

12 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2026-41479

  • EPSS 0.16%
  • Veröffentlicht 22.06.2026 20:35:13
  • Zuletzt bearbeitet 23.06.2026 15:50:26

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and ...

6.1

CVE-2026-44681

Exploit
  • EPSS 0.2%
  • Veröffentlicht 27.05.2026 19:20:44
  • Zuletzt bearbeitet 02.06.2026 17:16:32

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the auth...

5.4

CVE-2026-41425

Exploit
  • EPSS 0.11%
  • Veröffentlicht 24.04.2026 19:14:37
  • Zuletzt bearbeitet 28.04.2026 18:18:26

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

7.5

CVE-2026-28498

Exploit
  • EPSS 0.2%
  • Veröffentlicht 16.03.2026 18:16:07
  • Zuletzt bearbeitet 17.03.2026 20:40:37

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, ...

6.5

CVE-2026-28490

Exploit
  • EPSS 0.14%
  • Veröffentlicht 16.03.2026 17:37:57
  • Zuletzt bearbeitet 17.03.2026 20:45:45

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE...

9.1

CVE-2026-27962

Exploit
  • EPSS 0.41%
  • Veröffentlicht 16.03.2026 17:34:38
  • Zuletzt bearbeitet 17.03.2026 20:46:48

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signatu...

9.8

CVE-2026-28802

Exploit
  • EPSS 0.34%
  • Veröffentlicht 06.03.2026 06:44:26
  • Zuletzt bearbeitet 09.03.2026 21:20:56

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification...

8.8

CVE-2025-68158

Exploit
  • EPSS 0.24%
  • Veröffentlicht 08.01.2026 17:58:17
  • Zuletzt bearbeitet 30.03.2026 13:16:21

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid sta...

6.5

CVE-2025-62706

Exploit
  • EPSS 0.42%
  • Veröffentlicht 22.10.2025 21:31:10
  • Zuletzt bearbeitet 03.11.2025 18:17:02

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, ...

7.5

CVE-2025-61920

Exploit
  • EPSS 0.58%
  • Veröffentlicht 10.10.2025 19:25:07
  • Zuletzt bearbeitet 03.11.2025 18:17:01

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded head...