Skip to main content

Python CVE-2025-68158

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-01-08 security-advisories@github.com GHSA-fg6f-75jq-6523
Python CSRF Red Hat Suse
5.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.7 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 30, 2026 - 13:16 vuln.today
Public exploit code
Patch released
Mar 30, 2026 - 13:16 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 08, 2026 - 18:15 nvd
MEDIUM 5.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 pypi packages depend on authlib (6 direct, 1 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionGitHub Advisory

Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.

AnalysisAI

Authlib is a Python library which builds OAuth and OpenID Connect servers. [CVSS 5.7 MEDIUM]

Technical ContextAI

Classified as CWE-352 (Cross-Site Request Forgery (CSRF)). Affects Authlib. Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 1.6.6.. Restrict network access to the affected service where possible.

More from same product – last 7 days

CVE-2026-48039 CRITICAL POC
9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-45833 CRITICAL
9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Python 3 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2025-68158 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy