CVE-2026-44681

6.1 MEDIUM

Authlib is a Python library which builds OAuth and OpenID Connect servers

Published: 2026-05-27 · Last updated: 2026-06-02

Severity and scoring

CVSS: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601, CWE-863

Affected products

Vendor	Product
authlib	authlib

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44681
[Vendor advisory]https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2
[Vendor advisory]https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2

Related CVEs

Same CWE

CVE-2026-47777 — Mastodon is a free, open-source social network server based on ActivityPub (7.5 HIGH)
CVE-2016-20075 — WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor... (8.8 HIGH)
CVE-2026-34023 — The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket...
CVE-2026-2470 — The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions... (4.3 MEDIUM)
CVE-2026-54398 — An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP o...