Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri. The vulnerable behavior happens before client lookup and before any redirect URI validation. As a result, an attacker does not need a valid client registration, an authenticated user, or any prior state. A single request to the authorization endpoint is enough to obtain a 302 Location response to an arbitrary attacker-controlled URL. This vulnerability is fixed in 1.6.10 and 1.7.1.
Published: 2026-06-22
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authlib, a Python library that implements OAuth and OpenID Connect servers, contained a flaw in its OAuth 2.0 authorization endpoint that allowed an attacker to trigger an unauthenticated open redirect when using an unsupported response_type. The vulnerability permits elevating a 302 Location response to an arbitrary attacker‑controlled URL without a valid client registration, user authentication, or prior state. The misuse of redirect_uri before client lookup and validation can be exploited to phishing or drive‑by‑download attacks, compromising user trust and potentially revealing credentials. The weakness is identified as CWE‑601 open redirect.

Affected Systems

The affected parties are developers and organizations using Authlib versions prior to 1.6.10 and 1.7.1. Accepted versions are 1.6.x before 1.6.10 and 1.7.x before 1.7.1. The product that is impacted is the Authlib library itself used to build OAuth 2.0 and OpenID Connect servers.

Risk and Exploitability

The CVSS score of 5.4 points to moderate risk, and the vulnerability is not listed in the CISA KEV catalog. With no EPSS data available, the exploitation probability remains uncertain, but the flaw is trivially exploitable: a single unauthenticated HTTP request to the authorization endpoint is sufficient to obtain a 302 redirect to a malicious site. Attackers can execute phishing campaigns or redirect users to malicious services without needing any pre‑existing client configuration. The lack of authentication or client validation before redirect handling amplifies the potential impact.

Generated by OpenCVE AI on June 22, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Authlib to version 1.6.10 or later (including 1.7.1 and above) to eliminate the open redirect behavior.
  • If an upgrade cannot be applied immediately, modify your server logic to reject or neutralize requests that contain unsupported response_type values before processing redirect_uri, thereby preventing the redirect.
  • As a temporary measure, use a web application firewall or URL filtering rule to block redirection to known malicious domains, reducing the risk of phishing attacks while the library is updated.

Generated by OpenCVE AI on June 22, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w8p2-r796-3vmq Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type
History

Tue, 23 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Authlib
Authlib authlib
Vendors & Products Authlib
Authlib authlib

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri. The vulnerable behavior happens before client lookup and before any redirect URI validation. As a result, an attacker does not need a valid client registration, an authenticated user, or any prior state. A single request to the authorization endpoint is enough to obtain a 302 Location response to an arbitrary attacker-controlled URL. This vulnerability is fixed in 1.6.10 and 1.7.1.
Title Authlib OAuth 2.0 authorization endpoint open redirects to attacker-controlled redirect_uri on unsupported response_type
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Authlib Authlib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T20:35:13.699Z

Reserved: 2026-04-20T16:14:19.005Z

Link: CVE-2026-41479

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T00:00:16Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')