PatchSiren cyber security CVE debrief
CVE-2026-44681 authlib CVE debrief
## Summary Authlib versions prior to 1.6.12 and 1.7.1 contain an unauthenticated open redirect vulnerability in the OpenID Implicit Grant and OpenID Hybrid Grant authorization endpoints. A remote attacker can cause the authorization server to issue an HTTP 302 redirect to an attacker-controlled URL by submitting an authorization request that omits the `openid` scope. This vulnerability was published on 2026-05-27. ## Technical Details The vulnerability exists in Authlib's implementation of OpenID Connect authorization flows. When processing authorization requests for `OpenIDImplicitGrant` and `OpenIDHybridGrant`, the authorization endpoint fails to properly validate redirect destinations when the `openid` scope is absent from the request. This allows an unauthenticated attacker to manipulate the authorization response, causing the server to redirect users to arbitrary external URLs. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates this is a network-accessible vulnerability with low attack complexity, no privileges required, and user interaction needed. The scope change (S:C) reflects that the vulnerable authorization server component can impact resources beyond its security scope. ## Affected Versions - Authlib prior to 1.6.12 - Authlib prior to 1.7.1 ## Fixed Versions - Authlib 1.6.12 - Authlib 1.7.1 ## Recommended Actions 1. **Upgrade immediately** to Authlib 1.6.12 or 1.7.1 (or later) to eliminate the open redirect vulnerability. 2. **Review authorization endpoint configurations** to ensure proper scope validation is enforced for all OpenID Connect flows. 3. **Audit application logs** for suspicious authorization requests lacking the `openid` scope that may indicate attempted exploitation. 4. **Implement additional redirect URI validation** as a defense-in-depth measure, ensuring all redirect destinations are pre-registered and validated against an allowlist. 5. **Monitor for phishing campaigns** that may leverage this open redirect to distribute malicious links appearing to originate from legitimate authorization servers. ## References - CVE Record: CVE-2026-44681 - NVD Entry: CVE-2026-44681 - GitHub Security Advisory: GHSA-r95
- Vendor
- authlib
- Product
- Unknown
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Authlib-based OAuth/OpenID Connect authorization servers, particularly those using Implicit or Hybrid grant types
Technical summary
Unauthenticated open redirect in Authlib OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoints when openid scope is omitted, fixed in 1.6.12 and 1.7.1
Defensive priority
high
Recommended defensive actions
- Upgrade Authlib to version 1.6.12 or 1.7.1 or later
- Review authorization endpoint configurations for proper scope validation
- Audit application logs for authorization requests missing the openid scope
- Implement additional redirect URI validation with pre-registered allowlists
- Monitor for phishing campaigns leveraging this open redirect
Evidence notes
Vulnerability description sourced from official CVE record and GitHub Security Advisory. CVSS vector and affected/fixed versions confirmed through NVD data. CWE classifications (CWE-601: URL Redirection to Untrusted Site, CWE-863: Incorrect Authorization) provided by [email protected].
Official resources
-
CVE-2026-44681 CVE record
CVE.org
-
CVE-2026-44681 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27