Authlib CVE-2026-41425

EUVD-2026-25615 MEDIUM

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-04-24 GitHub_M

Python CSRF

5.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

Apr 24, 2026 - 21:02 EUVD

Analysis Generated

Apr 24, 2026 - 20:16 vuln.today

DescriptionNVD

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

AnalysisAI

Cross-site request forgery (CSRF) in Authlib's Starlette OAuth client cache feature (versions prior to 1.6.11) allows unauthenticated remote attackers to forge requests that manipulate cached OAuth state, potentially leading to session hijacking or token theft. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41425 vulnerability details – vuln.today

Back