CVE-2026-41479
Analyzed Analyzed - Analysis Complete

Unauthenticated Open Redirect in Authlib OAuth 2.0

Vulnerability report for CVE-2026-41479, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.10 and 1.7.1, Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported response_type and supplies an attacker-controlled redirect_uri. The vulnerable behavior happens before client lookup and before any redirect URI validation. As a result, an attacker does not need a valid client registration, an authenticated user, or any prior state. A single request to the authorization endpoint is enough to obtain a 302 Location response to an arbitrary attacker-controlled URL. This vulnerability is fixed in 1.6.10 and 1.7.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-26
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
authlib authlib 1.7.0
authlib authlib to 1.6.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Authlib's OAuth 2.0 authorization endpoint allows an attacker to perform an open redirect to an arbitrary URL without authentication or client validation. This can enable phishing and credential theft by abusing the trusted authorization server domain as a redirector.

Such open redirect vulnerabilities can undermine security controls required by standards and regulations like GDPR and HIPAA, which mandate protection of user data and prevention of unauthorized access or data breaches.

By enabling phishing and credential theft, this vulnerability could lead to unauthorized disclosure or misuse of personal or sensitive information, potentially resulting in non-compliance with these regulations.

Detection Guidance

This vulnerability can be detected by sending requests to the OAuth 2.0 authorization endpoint with unsupported response_type values and attacker-controlled redirect_uri parameters, then observing if the server responds with a 302 redirect to the supplied redirect_uri without proper validation.

A simple detection method is to craft an HTTP request to the authorization endpoint similar to the following:

  • curl -v 'https://<auth-server>/authorize?response_type=unsupported&client_id=any&redirect_uri=https://attacker.com'

If the server responds with a 302 redirect to https://attacker.com, it indicates the presence of the vulnerability.

Monitoring network traffic for unexpected 302 redirects from the authorization endpoint to untrusted domains can also help detect exploitation attempts.

Executive Summary

This vulnerability exists in the Authlib Python library's OAuth 2.0 authorization endpoint prior to versions 1.6.10 and 1.7.1. When a request uses an unsupported response_type and includes an attacker-controlled redirect_uri, the endpoint can be exploited to perform an unauthenticated open redirect.

The issue occurs before the system performs client lookup or validates the redirect URI, meaning an attacker does not need a valid client registration, an authenticated user, or any prior state to exploit it.

By sending a single crafted request to the authorization endpoint, an attacker can cause the server to respond with a 302 redirect to an arbitrary URL controlled by the attacker.

This vulnerability was fixed in Authlib versions 1.6.10 and 1.7.1.

Impact Analysis

This vulnerability can allow attackers to redirect users to malicious websites without authentication or authorization.

Such open redirects can be used in phishing attacks, where users are tricked into visiting attacker-controlled sites that may steal credentials or deliver malware.

Because the redirect happens before any client validation, it can be exploited even if the attacker does not have a valid client registration or user session.

Overall, this can lead to loss of user trust, potential credential compromise, and damage to the reputation of the affected service.

Mitigation Strategies

To mitigate this vulnerability, upgrade Authlib to version 1.6.10 or 1.7.1 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41479. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart