Fluid Attacks Database

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python-authlib	=1.2.0-1 \|\| =1.2.0-1+deb12u1 \|\| =1.2.1-1 \|\| =1.3.0-1 \|\| =1.3.0-2 \|\| =1.3.0-3 \|\| =1.3.1-1 \|\| =1.3.2-1 \|\| =1.3.2-2 \|\| =1.4.0-1 \|\| =1.4.1-1 \|\| =1.5.0-1 \|\| =1.5.1-1 \|\| =1.5.2-1 \|\| =1.6.0-1 \|\| =1.6.1-1 \|\| =1.6.3-1 \|\| =1.6.4-1 \|\| =1.6.5-1 \|\| =1.6.6-1 \|\| =1.6.7-1 \|\| =1.6.8-1 \|\| =1.6.9-1 \|\| =1.7.0-1	-
debian 13	python-authlib	=1.6.0-1 \|\| =1.6.0-1+deb13u1 \|\| =1.6.1-1 \|\| =1.6.3-1 \|\| =1.6.4-1 \|\| =1.6.5-1 \|\| =1.6.6-1 \|\| =1.6.7-1 \|\| =1.6.8-1 \|\| =1.6.9-1 \|\| =1.7.0-1	-
debian 14	python-authlib	=1.6.0-1 \|\| =1.6.1-1 \|\| =1.6.3-1 \|\| =1.6.4-1 \|\| =1.6.5-1 \|\| =1.6.6-1 \|\| =1.6.7-1 \|\| =1.6.8-1 \|\| =1.6.9-1 \|\| >=0 <1.7.0-1	1.7.0-1
pypi	authlib	>=0 <1.6.11	1.6.11

Aliases

1. CVE-2026-414252. NVD-2026-414253. OSV-DEBIAN-2026-414254. OSV-2026-414255. GHSA-jj8c-mmj3-mmgv6. GCVE-2026-414257. SECURITY-TRACKER-CVE-2026-41425

References

1. https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv2. https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2026-25.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.