CRITICAL9.8CVE-2026-28802Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification >= 1.6.5, < 1.6.7
CRITICAL9.1CVE-2026-27962Authlib JWS JWK Header Injection: Signature Verification Bypass from 0, < 1.6.9
HIGH7.5CVE-2026-28498Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding from 0, < 1.6.9
HIGH7.5Authlib is vulnerable to Denial of Service via Oversized JOSE Segments
from 0, < 1.6.5
HIGH7.5Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)
from 0, < 1.6.4
HIGH7.4python-authlib - security update
from 0, < 1.3.1
HIGH7.4python-authlib - security update
from 0, < 1.3.1
MEDIUM6.5Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle
from 0, < 1.6.9
MEDIUM6.5Authlib : JWE zip=DEF decompression bomb enables DoS
from 0, < 1.6.5
MEDIUM6.1Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect
from 0, < 1.6.12
MEDIUM6.1Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect
>= 1.7.0, < 1.7.1
MEDIUM5.7Authlib has 1-click Account Takeover vulnerability
>= 1.0.0, < 1.6.6
MEDIUM5.4Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type
from 0, < 1.6.10
MEDIUM5.4Authlib: Cross-site request forging when using cache
from 0, < 1.6.11
MEDIUM5.4Authlib: Cross-site request forging when using cache
from 0, < 1.6.11