Vulnerability Details CVE-2026-44681
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.3%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2026-44681
-
cpe:2.3:a:authlib:authlib:-
-
cpe:2.3:a:authlib:authlib:0.1
-
cpe:2.3:a:authlib:authlib:0.10
-
cpe:2.3:a:authlib:authlib:0.11
-
cpe:2.3:a:authlib:authlib:0.12
-
cpe:2.3:a:authlib:authlib:0.12.1
-
cpe:2.3:a:authlib:authlib:0.13
-
cpe:2.3:a:authlib:authlib:0.14
-
cpe:2.3:a:authlib:authlib:0.14.1
-
cpe:2.3:a:authlib:authlib:0.14.2
-
cpe:2.3:a:authlib:authlib:0.14.3
-
cpe:2.3:a:authlib:authlib:0.15
-
cpe:2.3:a:authlib:authlib:0.15.1
-
cpe:2.3:a:authlib:authlib:0.15.2
-
cpe:2.3:a:authlib:authlib:0.15.3
-
cpe:2.3:a:authlib:authlib:0.15.4
-
cpe:2.3:a:authlib:authlib:0.15.5
-
cpe:2.3:a:authlib:authlib:0.15.6
-
cpe:2.3:a:authlib:authlib:0.2
-
cpe:2.3:a:authlib:authlib:0.2.1
-
cpe:2.3:a:authlib:authlib:0.3
-
cpe:2.3:a:authlib:authlib:0.4
-
cpe:2.3:a:authlib:authlib:0.4.1
-
cpe:2.3:a:authlib:authlib:0.5
-
cpe:2.3:a:authlib:authlib:0.5.1
-
cpe:2.3:a:authlib:authlib:0.6
-
cpe:2.3:a:authlib:authlib:0.7
-
cpe:2.3:a:authlib:authlib:0.8
-
cpe:2.3:a:authlib:authlib:0.9
-
cpe:2.3:a:authlib:authlib:1.0.0
-
cpe:2.3:a:authlib:authlib:1.0.1
-
cpe:2.3:a:authlib:authlib:1.1.0
-
cpe:2.3:a:authlib:authlib:1.2.0
-
cpe:2.3:a:authlib:authlib:1.2.1
-
cpe:2.3:a:authlib:authlib:1.3.0
-
cpe:2.3:a:authlib:authlib:1.3.1
-
cpe:2.3:a:authlib:authlib:1.3.2
-
cpe:2.3:a:authlib:authlib:1.4.0
-
cpe:2.3:a:authlib:authlib:1.4.1
-
cpe:2.3:a:authlib:authlib:1.5.0
-
cpe:2.3:a:authlib:authlib:1.5.1
-
cpe:2.3:a:authlib:authlib:1.5.2
-
cpe:2.3:a:authlib:authlib:1.6.0
-
cpe:2.3:a:authlib:authlib:1.6.1
-
cpe:2.3:a:authlib:authlib:1.6.10
-
cpe:2.3:a:authlib:authlib:1.6.11
-
cpe:2.3:a:authlib:authlib:1.6.2
-
cpe:2.3:a:authlib:authlib:1.6.3
-
cpe:2.3:a:authlib:authlib:1.6.4
-
cpe:2.3:a:authlib:authlib:1.6.5
-
cpe:2.3:a:authlib:authlib:1.6.6
-
cpe:2.3:a:authlib:authlib:1.6.7
-
cpe:2.3:a:authlib:authlib:1.6.8
-
cpe:2.3:a:authlib:authlib:1.6.9
-
cpe:2.3:a:authlib:authlib:1.7.0