Authlib

Authlib

9 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2026-28498

Exploit
  • EPSS 0.02%
  • Veröffentlicht 16.03.2026 18:16:07
  • Zuletzt bearbeitet 17.03.2026 20:40:37

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, ...

6.5

CVE-2026-28490

Exploit
  • EPSS 0.01%
  • Veröffentlicht 16.03.2026 17:37:57
  • Zuletzt bearbeitet 17.03.2026 20:45:45

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE...

9.1

CVE-2026-27962

Exploit
  • EPSS 0.05%
  • Veröffentlicht 16.03.2026 17:34:38
  • Zuletzt bearbeitet 17.03.2026 20:46:48

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signatu...

9.8

CVE-2026-28802

Exploit
  • EPSS 0.02%
  • Veröffentlicht 06.03.2026 06:44:26
  • Zuletzt bearbeitet 09.03.2026 21:20:56

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification...

8.8

CVE-2025-68158

Exploit
  • EPSS 0.03%
  • Veröffentlicht 08.01.2026 17:58:17
  • Zuletzt bearbeitet 30.03.2026 13:16:21

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid sta...

6.5

CVE-2025-62706

Exploit
  • EPSS 0.13%
  • Veröffentlicht 22.10.2025 21:31:10
  • Zuletzt bearbeitet 03.11.2025 18:17:02

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, ...

7.5

CVE-2025-61920

Exploit
  • EPSS 0.5%
  • Veröffentlicht 10.10.2025 19:25:07
  • Zuletzt bearbeitet 03.11.2025 18:17:01

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded head...

7.5

CVE-2025-59420

Exploit
  • EPSS 0.01%
  • Veröffentlicht 22.09.2025 17:28:53
  • Zuletzt bearbeitet 03.11.2025 18:17:01

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An at...

7.5

CVE-2024-37568

Exploit
  • EPSS 0.15%
  • Veröffentlicht 09.06.2024 19:15:52
  • Zuletzt bearbeitet 03.11.2025 18:15:42

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-3366...