Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 3 pypi packages depend on authlib (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.6.11.
DescriptionGitHub Advisory
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.
AnalysisAI
Cross-site request forgery (CSRF) in Authlib's Starlette OAuth client cache feature (versions prior to 1.6.11) allows unauthenticated remote attackers to forge requests that manipulate cached OAuth state, potentially leading to session hijacking or token theft. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity. Vendor-released patch: version 1.6.11.
Technical ContextAI
Authlib is a Python library implementing OAuth 2.0 and OpenID Connect server/client functionality. The vulnerability resides in the authlib.integrations.starlette_client.OAuth module, specifically in cache handling mechanisms used during the OAuth authorization flow. The root cause is CWE-352 (Cross-Site Request Forgery), indicating missing or insufficient CSRF token validation on state-cache operations in the Starlette integration. This affects the confidentiality and integrity of OAuth session management in web applications using this integration.
RemediationAI
Upgrade Authlib to version 1.6.11 or later immediately. For Python environments using pip, execute: pip install --upgrade authlib>=1.6.11. Verify the installed version with pip show authlib. If immediate upgrade is not feasible, configure Starlette middleware to enforce SameSite=Strict cookies and implement explicit CSRF token validation on all OAuth callback handlers using Starlette's built-in CSRF middleware until patching is complete. This reduces but does not eliminate risk. Review GitHub Security Advisory GHSA-jj8c-mmj3-mmgv (https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv) for additional context and confirmation of fix.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Python 3 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Python 3 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25615