CVE-2026-44681
Open Redirect Vulnerability in Authlib
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| authlib | authlib | to 1.6.12 (exc) |
| authlib | authlib | to 1.7.1 (exc) |
| authlib | authlib | to 1.6.12 (inc) |
| authlib | authlib | to 1.7.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can be exploited to perform phishing attacks where victims see the legitimate OpenID Connect provider's domain in the URL bar before being redirected to a malicious site.
Such attacks can lead to credential harvesting or further malicious activities by tricking users into trusting the attacker-controlled URL.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability violates RFC 6749 and RFC 9700, which require redirect URI validation even in error responses.
While the provided information does not explicitly mention GDPR, HIPAA, or other regulatory impacts, the ability to redirect users to malicious sites and potentially harvest credentials could lead to non-compliance with data protection and privacy regulations that mandate secure authentication and user data protection.
Can you explain this vulnerability to me?
CVE-2026-44681 is a moderate-severity open redirect vulnerability in Authlib's OpenID Connect Implicit and Hybrid authorization flows.
An unauthenticated attacker can craft a malicious authorization request that omits the required 'openid' scope, causing the authorization server to issue an HTTP 302 redirect to an attacker-controlled URL.
This happens because the vulnerable code checks for the 'openid' scope before validating the redirect URI, allowing the attacker to bypass proper redirect URI validation.
Affected versions include Authlib 1.7.0 and earlier, and 1.6.11 and earlier. The vulnerability is fixed in versions 1.6.12 and 1.7.1.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring authorization requests to the Authlib OpenID Connect authorization endpoint for requests that omit the 'openid' scope but include a redirect_uri parameter. Specifically, look for HTTP GET requests with response_type values like 'id_token' or 'code id_token' that cause HTTP 302 redirects to unexpected or attacker-controlled URLs.
You can use network traffic inspection tools or web server logs to identify such suspicious requests and responses.
Example commands to detect such activity might include:
- Using tcpdump or tshark to capture HTTP traffic and filter for authorization requests missing the 'openid' scope.
- Using grep or similar tools on web server logs to find authorization requests without 'openid' in the scope parameter.
- Example grep command: grep -i 'response_type=id_token' access.log | grep -v 'scope=openid'
- Check for HTTP 302 responses redirecting to URLs not matching the expected redirect_uri whitelist.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Authlib to version 1.6.12 or 1.7.1, where the vulnerability is fixed by properly validating the redirect URI before checking the scope.
If upgrading immediately is not possible, consider disabling the Implicit and Hybrid authorization flows if they are not required, as these flows are the vectors for this vulnerability.
Additionally, review and enforce strict redirect URI validation policies to prevent unauthorized redirects.