Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.
Published: 2026-04-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authlib, a Python library for OAuth and OpenID Connect servers, had a flaw in the cache feature of its Starlette client integration where no CSRF protection was in place. Because of this, malicious actors could trick users into sending requests that the application would process as if they were legitimate. The vulnerability is categorized as CWE‑352 (Cross‑Site Request Forgery) and CWE‑807 (Protection Mechanism Failure).

Affected Systems

The flaw applies to any deployment of Authlib prior to version 1.6.11 that uses the authlib.integrations.starlette_client.OAuth module. Any Python application incorporating Authlib for OAuth authentication and enabling the cache functionality is potentially affected.

Risk and Exploitability

The flaw combines a protection mechanism failure (CWE‑807) and a missing CSRF guard (CWE‑352). The CVSS score of 5.4 indicates a medium severity rating. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to target a user who has already authenticated with the application and use the cache function to form a forged request. The attack vector is likely browser‑based and requires the victim to interact with the attacker’s web content, which reduces but does not eliminate exploitability.

Generated by OpenCVE AI on May 4, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Authlib to version 1.6.11 or later, which adds CSRF protection for the cache feature.
  • If an immediate upgrade is not possible, add CSRF safeguards such as enforcing same‑site cookies or inserting explicit CSRF tokens into the OAuth flow used by the application.
  • Alternatively, disable or avoid using the cache feature in authlib.integrations.starlette_client.OAuth until the patch is applied.

Generated by OpenCVE AI on May 4, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jj8c-mmj3-mmgv Authlib: Cross-site request forging when using cache
History

Mon, 04 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-807
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Authlib
Authlib authlib
Vendors & Products Authlib
Authlib authlib

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.
Title Authlib: Cross-site request forging when using cache
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Authlib Authlib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T13:35:01.596Z

Reserved: 2026-04-20T15:32:33.814Z

Link: CVE-2026-41425

cve-icon Vulnrichment

Updated: 2026-04-27T13:09:17.630Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T20:16:27.107

Modified: 2026-04-28T18:18:26.783

Link: CVE-2026-41425

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T19:14:37Z

Links: CVE-2026-41425 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T13:30:45Z

Weaknesses