PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41479 authlib CVE debrief

CVE-2026-41479 is a vulnerability in Authlib, a Python library for building OAuth and OpenID Connect servers. The vulnerability occurs in the OAuth 2.0 authorization endpoint, which can be exploited to create an unauthenticated open redirect. This happens when a request uses an unsupported response_type and provides an attacker-controlled redirect_uri. The issue arises before client lookup and redirect URI validation, meaning an attacker doesn't need a valid client registration, authenticated user, or prior state. A single request to the authorization endpoint can result in a 302 Location response to an arbitrary attacker-controlled URL. The vulnerability is fixed in Authlib versions 1.6.10 and 1.7.1.

Vendor
authlib
Product
Unknown
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-22
Original CVE updated
2026-06-26
Advisory published
2026-06-22
Advisory updated
2026-06-26

Who should care

Organizations using Authlib for OAuth 2.0 or OpenID Connect should prioritize patching this vulnerability. Attackers can exploit this issue to redirect users to malicious sites, potentially leading to phishing or further attacks. Given the MEDIUM severity and ease of exploitation, defenders should act quickly to apply the patches provided in versions 1.6.10 and 1.7.1.

Technical summary

The vulnerability in Authlib's OAuth 2.0 authorization endpoint allows for an unauthenticated open redirect. This is possible because the endpoint does not properly validate the response_type and redirect_uri parameters. An attacker can craft a malicious request that redirects the user to an arbitrary URL, without needing any authentication or prior interaction. The CVSS score for this vulnerability is 5.4, indicating a MEDIUM severity level. The vulnerability is characterized by the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. CWE-601 (URL Redirection to Untrusted Site) is associated with this vulnerability.

Defensive priority

Defenders should prioritize patching this vulnerability due to its MEDIUM severity and the potential for exploitation. Applying the fixes in versions 1.6.10 or 1.7.1 will prevent attackers from redirecting users to malicious sites.

Recommended defensive actions

  • Apply patches: Upgrade Authlib to version 1.6.10 or 1.7.1 to fix the vulnerability.
  • Review and update: Ensure all instances of Authlib are updated and validate the deployment.
  • Monitor for suspicious activity: Keep an eye on authorization endpoint logs for unusual redirect requests.
  • Implement compensating controls: Consider additional security measures, such as validating redirect URIs, until patching can be completed.
  • Inform stakeholders: Notify relevant teams and stakeholders about the vulnerability and the steps being taken to mitigate it.

Evidence notes

The CVE-2026-41479 vulnerability was made public on 2026-06-22T21:16:24.017Z. The NVD provides detailed information about the vulnerability, including its CVSS score and vector. GitHub security advisories (GHSA-w8p2-r796-3vmq) and the Authlib commit fixing the issue provide additional context. The vulnerability allows for an unauthenticated open redirect, posing a risk to users of Authlib's OAuth 2.0 and OpenID Connect implementations.

Official resources

This article is AI-assisted and based on the supplied source corpus.