PYSEC-2026-25

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/authlib/PYSEC-2026-25.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2026-25

Aliases

Published

2026-04-24T20:16:27.107Z

Modified

2026-05-20T09:18:53.642003Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

References

https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv

Affected packages

PyPI / authlib

Package

Name: authlib; View open source insights on deps.dev
Purl: pkg:pypi/authlib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.11

Affected versions

0.*

0.1rc0

0.1

0.2

0.2.1

0.3

0.4

0.4.1

0.5

0.5.1

0.6

0.7

0.8

0.9

0.10

0.11

0.12

0.12.1

0.13

0.14

0.14.1

0.14.2

0.14.3

0.15

0.15.1

0.15.2

0.15.3

0.15.4

0.15.5

0.15.6

1.*

1.0.0a1

1.0.0a2

1.0.0b1

1.0.0b2

1.0.0rc1

1.0.0

1.0.1

1.1.0

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/authlib/PYSEC-2026-25.yaml"