authlib
PyPI11 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting authlibpage 1 of 1
- CVE-2024-37568HIGHCVSS 7.5EG 7.5✓ Fixed in 1.3.12024-06-09
vulnerable: 0.1 ... 1.3.0 (40 versions)
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CV…
- CVE-2025-59420HIGHCVSS 7.5EG 7.5✓ Fixed in 1.6.42025-09-22
vulnerable: 0.1 ... 1.6.3 (51 versions)
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand�…
- CVE-2025-61920HIGHCVSS 7.5EG 7.5✓ Fixed in 1.6.52025-10-10
vulnerable: 0.1 ... 1.6.4 (52 versions)
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url…
- CVE-2025-62706MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.6.52025-10-22
vulnerable: 0.1 ... 1.6.4 (52 versions)
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes…
- CVE-2025-68158MEDIUMCVSS 5.7EG 5.7✓ Fixed in 1.6.62026-01-08
vulnerable: 1.0.0 ... 1.6.5 (19 versions)
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has …
- CVE-2026-27962CRITICALCVSS 9.1EG 9.1✓ Fixed in 1.6.92026-03-16
vulnerable: 0.1 ... 1.6.8 (56 versions)
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that p…
- CVE-2026-28498HIGHCVSS 7.5EG 7.5✓ Fixed in 1.6.92026-03-16
vulnerable: 0.1 ... 1.6.8 (56 versions)
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Spe…
- CVE-2026-28802CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.6.72026-03-06
vulnerable: 1.6.5, 1.6.6
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature v…
- CVE-2026-41425MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.6.112026-04-24
vulnerable: 0.1 ... 1.6.9 (58 versions)
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.
- CVE-2026-41479MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.7.12026-06-08
vulnerable: 1.7.0
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported respons…
- CVE-2026-44681MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.6.122026-05-27
vulnerable: 0.1 ... 1.6.9 (59 versions)
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cau…
Check whether authlib is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for authlib CVEs against the assets you own.
Start Free Scan →