CVE-2026-41479
Received Received - Intake
Unauthenticated Open Redirect in Authlib OAuth 2.0

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri. The vulnerable behavior happens before client lookup and before any redirect URI validation. As a result, an attacker does not need a valid client registration, an authenticated user, or any prior state. A single request to the authorization endpoint is enough to obtain a 302 Location response to an arbitrary attacker-controlled URL. This vulnerability is fixed in 1.6.10 and 1.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-41479
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
authlib authlib to 1.6.10 (inc)
authlib authlib to 1.7.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Authlib Python library's OAuth 2.0 authorization endpoint prior to versions 1.6.10 and 1.7.1. When a request uses an unsupported response_type and includes an attacker-controlled redirect_uri, the endpoint can be exploited to perform an unauthenticated open redirect.

The issue occurs before the system performs client lookup or validates the redirect URI, meaning an attacker does not need a valid client registration, an authenticated user, or any prior state to exploit it.

By sending a single crafted request to the authorization endpoint, an attacker can cause the server to respond with a 302 redirect to an arbitrary URL controlled by the attacker.

This vulnerability was fixed in Authlib versions 1.6.10 and 1.7.1.

Impact Analysis

This vulnerability can allow attackers to redirect users to malicious websites without authentication or authorization.

Such open redirects can be used in phishing attacks, where users are tricked into visiting attacker-controlled sites that may steal credentials or deliver malware.

Because the redirect happens before any client validation, it can be exploited even if the attacker does not have a valid client registration or user session.

Overall, this can lead to loss of user trust, potential credential compromise, and damage to the reputation of the affected service.

Mitigation Strategies

To mitigate this vulnerability, upgrade Authlib to version 1.6.10 or 1.7.1 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41479. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart