PatchSiren

authlib CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM authlib CVE published 2026-06-22

CVE-2026-41479

CVE-2026-41479 is a vulnerability in Authlib, a Python library for building OAuth and OpenID Connect servers. The vulnerability occurs in the OAuth 2.0 authorization endpoint, which can be exploited to create an unauthenticated open redirect. This happens when a request uses an unsupported response_type and provides an attacker-controlled redirect_uri. The issue arises before client lookup and redirect UR [truncated]

MEDIUM authlib CVE published 2026-06-17

CVE-2026-48990

The joserfc library, used for implementing JSON Object Signing and Encryption (JOSE) standards in Python, has a moderate availability risk due to a vulnerability in versions 1.3.4 through 1.6.5. This issue arises from the library's acceptance of oversized RFC7797 b64=false JWS payloads without properly applying the JWSRegistry.max_payload_length check, unlike its handling of compact and flattened JSON pat [truncated]

MEDIUM authlib CVE published 2026-05-27

CVE-2026-44681

## Summary Authlib versions prior to 1.6.12 and 1.7.1 contain an unauthenticated open redirect vulnerability in the OpenID Implicit Grant and OpenID Hybrid Grant authorization endpoints. A remote attacker can cause the authorization server to issue an HTTP 302 redirect to an attacker-controlled URL by submitting an authorization request that omits the `openid` scope. This vulnerability was published on 20 [truncated]

HIGH authlib CVE published 2026-03-16

CVE-2026-28498

The Authlib Python library, used for building OAuth and OpenID Connect servers, was found vulnerable to a library-level issue (CVE-2026-28498) concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims was identified to exhibit a fail-open behavior wh [truncated]

CRITICAL authlib CVE published 2026-03-16

CVE-2026-27962

CVE-2026-27962 is a critical vulnerability in the Authlib library, which is used for building OAuth and OpenID Connect servers. The vulnerability, known as JWK Header Injection, allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. This is achieved by passing key=None to any JWS deserialization function, which then extracts and uses the cryptographic key embedd [truncated]

HIGH authlib CVE published 2026-03-06

CVE-2026-28802

CVE-2026-28802 is a high-severity vulnerability in the Authlib Python library, which builds OAuth and OpenID Connect servers. The issue allows for signature skipping in certain scenarios, potentially leading to security bypass. The vulnerability affects versions from 1.6.5 to before 1.6.7. A patch is available in version 1.6.7. The CVSS score for this vulnerability is 7.7, indicating a high severity level.