MEDIUM 6.1

PYSEC-2026-188

Details

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / authlib

Introduced in: 0 Fixed in: 1.6.12

Fix pip install --upgrade 'authlib>=1.6.12'

References

https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2 [EVIDENCE]