cvedb.io
CVE-2026-41479
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2026-06-22T21:16:24.017 · Last modified 2026-06-26T20:10:38.003

Summary

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri. The vulnerable behavior happens before client lookup and before any redirect URI validation. As a result, an attacker does not need a valid client registration, an authenticated user, or any prior state. A single request to the authorization endpoint is enough to obtain a 302 Location response to an arbitrary attacker-controlled URL. This vulnerability is fixed in 1.6.10 and 1.7.1.

Affected products

authlib — authlib

Does this affect you?

Add your gear to cvedb and we'll alert you only when authlib ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.