CVE-2026-44681
Modified Modified - Updated After Analysis
Open Redirect Vulnerability in Authlib

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44681
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
authlib authlib to 1.6.12 (exc)
authlib authlib 1.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can be exploited to perform phishing attacks where victims see the legitimate OpenID Connect provider's domain in the URL bar before being redirected to a malicious site.

Such attacks can lead to credential harvesting or further malicious activities by tricking users into trusting the attacker-controlled URL.

Compliance Impact

This vulnerability violates RFC 6749 and RFC 9700, which require redirect URI validation even in error responses.

While the provided information does not explicitly mention GDPR, HIPAA, or other regulatory impacts, the ability to redirect users to malicious sites and potentially harvest credentials could lead to non-compliance with data protection and privacy regulations that mandate secure authentication and user data protection.

Executive Summary

CVE-2026-44681 is a moderate-severity open redirect vulnerability in Authlib's OpenID Connect Implicit and Hybrid authorization flows.

An unauthenticated attacker can craft a malicious authorization request that omits the required 'openid' scope, causing the authorization server to issue an HTTP 302 redirect to an attacker-controlled URL.

This happens because the vulnerable code checks for the 'openid' scope before validating the redirect URI, allowing the attacker to bypass proper redirect URI validation.

Affected versions include Authlib 1.7.0 and earlier, and 1.6.11 and earlier. The vulnerability is fixed in versions 1.6.12 and 1.7.1.

Detection Guidance

This vulnerability can be detected by monitoring authorization requests to the Authlib OpenID Connect authorization endpoint for requests that omit the 'openid' scope but include a redirect_uri parameter. Specifically, look for HTTP GET requests with response_type values like 'id_token' or 'code id_token' that cause HTTP 302 redirects to unexpected or attacker-controlled URLs.

You can use network traffic inspection tools or web server logs to identify such suspicious requests and responses.

Example commands to detect such activity might include:

  • Using tcpdump or tshark to capture HTTP traffic and filter for authorization requests missing the 'openid' scope.
  • Using grep or similar tools on web server logs to find authorization requests without 'openid' in the scope parameter.
  • Example grep command: grep -i 'response_type=id_token' access.log | grep -v 'scope=openid'
  • Check for HTTP 302 responses redirecting to URLs not matching the expected redirect_uri whitelist.
Mitigation Strategies

The primary mitigation is to upgrade Authlib to version 1.6.12 or 1.7.1, where the vulnerability is fixed by properly validating the redirect URI before checking the scope.

If upgrading immediately is not possible, consider disabling the Implicit and Hybrid authorization flows if they are not required, as these flows are the vectors for this vulnerability.

Additionally, review and enforce strict redirect URI validation policies to prevent unauthorized redirects.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44681. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart