Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.
Published: 2026-05-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authlib exposed an unauthenticated open redirect in its OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoints prior to versions 1.6.12 and 1.7.1. Attackers can craft a request that omits the openid scope to cause the authorization server to issue an HTTP 302 redirect to an arbitrary, attacker-chosen URL. The vulnerability enables phishing or credential-stealing attacks by misleading users into believing they are interacting with the legitimate authorization server. The weakness is represented by CWE-601 (Open Redirect) and CWE-863 (Missing authorization scope).

Affected Systems

The issue affects the Authlib library for Python. Versions earlier than 1.6.12 and 1.7.1 are vulnerable; any deployment that implements Open ID Connect implicit or hybrid flows using those versions is at risk.

Risk and Exploitability

The CVSS score is 6.1, indicating moderate severity. No EPSS data is available, and it is not listed in the CISA KEV catalog. The attack vector is remote; a client‑side actor can trigger the redirect by sending an unauthenticated authorization request to the impacted server. Successful exploitation requires the attacker to target a legitimate instance of Authlib that exposes its OIDC endpoints.

Generated by OpenCVE AI on May 27, 2026 at 20:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Authlib to version 1.6.12 or later, or 1.7.1 or later, which removes the redirect flaw.
  • Ensure that the OAuth/OIDC endpoints validate the presence of the openid scope for implicit or hybrid grants, rejecting requests that omit it.
  • If upgrading is not immediately possible, restrict exposure of the OIDC endpoints to trusted clients only, or implement network‑level filtering to block requests lacking the openid scope.

Generated by OpenCVE AI on May 27, 2026 at 20:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r95x-qfjj-fjj2 Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect
History

Thu, 28 May 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Authlib
Authlib authlib
Vendors & Products Authlib
Authlib authlib

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.
Title Authlib: Open Redirect in Authlib OIDC Implicit/Hybrid Authorization
Weaknesses CWE-601
CWE-863
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Authlib Authlib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T19:20:44.122Z

Reserved: 2026-05-07T16:20:08.660Z

Link: CVE-2026-44681

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T20:16:37.463

Modified: 2026-05-27T20:16:37.463

Link: CVE-2026-44681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:00:05Z

Weaknesses