CVE-2026-44681

Severity CVSS v4.0:
Pending analysis
Type:
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Publication date:
27/05/2026
Last modified:
02/06/2026

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:* 1.6.12 (excluding)
cpe:2.3:a:authlib:authlib:1.7.0:*:*:*:*:*:*:*