Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 4 pypi packages depend on authlib (3 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.7.0.
DescriptionGitHub Advisory
Summary
An unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope.
Details
Vulnerable code
OpenIDImplicitGrant.validate_authorization_request in authlib/oidc/core/grants/implicit.py:
def validate_authorization_request(self):
if not is_openid_scope(self.request.payload.scope):
raise InvalidScopeError(
"Missing 'openid' scope",
redirect_uri=self.request.payload.redirect_uri,
# ← raw, unvalidated
redirect_fragment=True,
)
redirect_uri = super().validate_authorization_request()
...OpenIDHybridGrant.validate_authorization_request in authlib/oidc/core/grants/hybrid.py shares the same pattern.
Root cause
Both methods perform the openid scope presence check before delegating to super().validate_authorization_request(), which is where AuthorizationEndpointMixin.validate_authorization_redirect_uri validates the requested redirect_uri against the client's check_redirect_uri(...). The InvalidScopeError thrown by the scope check therefore carries attacker-controlled self.request.payload.redirect_uri.
OAuth2Error.__call__ in authlib/oauth2/base.py renders any error with a non-empty redirect_uri as an HTTP 302:
def __call__(self, uri=None):
if self.redirect_uri:
params = self.get_body()
loc = add_params_to_uri(self.redirect_uri, params, self.redirect_fragment)
return 302, "", [("Location", loc)]
return super().__call__(uri=uri)A malformed authorization request that selects OpenIDImplicitGrant or OpenIDHybridGrant and omits the openid scope is therefore redirected to a fully attacker-chosen URL.
This is a variant of the issue fixed in commit 3be08468 ("fix: redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError") that was missed in the OIDC Implicit and Hybrid grants.
Preconditions
- The server registers
OpenIDImplicitGrantorOpenIDHybridGrant(standard OIDC Implicit or Hybrid flow support). - The attacker's request uses a
response_typethat matches either grant:id_token,id_token token,code id_token,code token, orcode id_token token. scopedoes not containopenid.- Any
redirect_urivalue.
No user authentication, no consent, no valid session, no CSRF token, and - notably - no valid client_id are required. The scope check runs before any client lookup, so any client_id value (including nonexistent ones) reaches the vulnerable code path.
PoC
The following unauthenticated GET is sufficient to induce the authorization server to redirect a victim's browser to an attacker-controlled URL:
GET /oauth/authorize
?response_type=id_token
&client_id=anything
&scope=profile
&redirect_uri=https%3A%2F%2Fevil.example.com%2Fphish
&state=s&nonce=n HTTP/1.1
Host: victim-op.exampleServer response:
HTTP/1.1 302 Found
Location: https://evil.example.com/phish#error=invalid_scope&error_description=Missing+%27openid%27+scope&state=sImpact
- Open redirect from a trusted authorization server origin. Victims receiving a phishing link see the legitimate OIDC provider's domain in the URL bar at the moment they click. The authorization server itself issues the 302 to the attacker's page, lending the attacker's landing page the OP's reputation and potentially satisfying domain-allow-list controls that trust the OP.
- Phishing / credential harvesting leverage. The attacker's page can mimic the legitimate OP's consent screen or a relying-party error page to solicit credentials, MFA codes, or to continue a downstream confused-deputy attack.
- RFC violation. RFC 6749 §4.1.2.1 and RFC 9700 (OAuth 2.0 Security BCP) §4.11 both state that an authorization server MUST NOT perform redirection to a
redirect_urithat has not been validated against the client's registered URIs, even in error responses. Thestateparameter is echoed back, giving the attacker site a stable correlator. - No direct token/code leak. This flaw fires before any authorization decision, so no authorization codes, ID tokens, or access tokens are disclosed. The impact is limited to open-redirect phishing leverage. Combined with other issues (e.g., downstream SSO trust chains) it may contribute to account-takeover chains; on its own it is a Medium-severity open redirect.
Affected deployments
Any application using Authlib as an OIDC provider that registers OpenIDImplicitGrant and/or OpenIDHybridGrant - i.e. anyone supporting the Implicit flow or the Hybrid flow (response_type=code id_token, etc.) - is affected. Clients of an Authlib-based OP are not directly affected; this is a server-side issue.
Authorization servers that only register the plain AuthorizationCodeGrant (code flow, with or without PKCE and the OpenIDCode extension) are not affected by this specific variant: the code-flow grant validates redirect_uri before raising scope errors. If you were affected by the sibling issue fixed in 3be08468 (UnsupportedResponseTypeError), you should already be on 1.6.10 or later; this advisory is independent of that fix.
Suggested fix
The attached fix-oidc-open-redirect.patch reorders each method to delegate to its super (or call validate_code_authorization_request for Hybrid) first, and then performs the openid-scope check with the validated redirect_uri variable.
# authlib/oidc/core/grants/implicit.py
def validate_authorization_request(self):
redirect_uri = super().validate_authorization_request()
# runs client + redirect_uri validation
if not is_openid_scope(self.request.payload.scope):
raise InvalidScopeError(
"Missing 'openid' scope",
redirect_uri=redirect_uri,
# validated
redirect_fragment=True,
)
try:
validate_nonce(self.request, self.exists_nonce, required=True)
except OAuth2Error as error:
error.redirect_uri = redirect_uri
error.redirect_fragment = True
raise error
return redirect_uriAn equivalent transform is applied to OpenIDHybridGrant.validate_authorization_request, invoking validate_code_authorization_request first and only then checking is_openid_scope.
Alternatively, inline a client = query_client(request.payload.client_id) + client.check_redirect_uri(request.payload.redirect_uri) guard before populating redirect_uri on the error - the pattern used in 3be08468.
The patch also adds regression tests analogous to test_unsupported_response_type_does_not_redirect from commit 3be08468, asserting rv.status_code == 400 and rv.headers.get("Location") is None for an unregistered redirect_uri with a non-openid scope.
Workarounds
No clean server-side workaround exists short of patching. Partial mitigations:
- Unregister
OpenIDImplicitGrantandOpenIDHybridGrantif the Implicit and Hybrid flows are not required. (RFC 9700 deprecates the Implicit flow and discourages Hybrid flows, so this is recommended anyway.) - Front the
/authorizeendpoint with a reverse proxy rule that rejects requests containing both aredirect_uriparameter and ascopethat does not includeopenidwhenresponse_typematches the vulnerable set. This is fragile and not recommended as a primary control.
References
- RFC 6749, §4.1.2.1 - Error Response (OAuth 2.0 authorization endpoint)
- RFC 9700, §4.11 - Redirect URI validation
- OpenID Connect Core 1.0, §3.2.2.6 / §3.3.2.6 - Authentication Error Response
- Authlib commit
3be08468- prior fix for the same class of issue inUnsupportedResponseTypeError(Authlib 1.6.10) - Authlib source (by symbol; verified in commit
5d2e603e): OpenIDImplicitGrant.validate_authorization_request-authlib/oidc/core/grants/implicit.pyOpenIDHybridGrant.validate_authorization_request-authlib/oidc/core/grants/hybrid.pyOAuth2Error.__call__-authlib/oauth2/base.py(renders errors withredirect_urias HTTP 302)AuthorizationEndpointMixin.validate_authorization_redirect_uri-authlib/oauth2/rfc6749/grants/base.py(the validation that is bypassed)
AnalysisAI
Unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoints allows remote attackers to redirect users to attacker-controlled URLs by submitting authorization requests that omit the openid scope. The vulnerability occurs because scope validation happens before redirect_uri validation, allowing the error handler to return an HTTP 302 with an unvalidated attacker-supplied redirect_uri. A proof-of-concept GET request demonstrates the flaw trivially; no authentication, valid client_id, or user interaction beyond clicking the link is required, though the CVSS score of 6.1 reflects the requirement for user interaction (UI:R) to click the phishing link. Actively exploited in the wild (KEV status), this is a Medium-severity open redirect enabling credential harvesting attacks.
Technical ContextAI
Authlib is a Python OAuth 2.0 and OpenID Connect (OIDC) implementation library. The vulnerability resides in the OIDC Implicit and Hybrid grant flow implementations (authlib/oidc/core/grants/implicit.py and hybrid.py). These grants perform scope validation via is_openid_scope() before delegating to the parent class's validate_authorization_request() method, which normally validates the redirect_uri against registered client URIs. The root cause is an ordering bug: InvalidScopeError is raised with the raw, unvalidated self.request.payload.redirect_uri before the parent's validation runs. The OAuth2Error.__call__ method in authlib/oauth2/base.py then renders any error carrying a non-empty redirect_uri as an HTTP 302 response. This is a variant of CWE-601 (URL Redirection to Untrusted Site) and a regression of a similar issue fixed in commit 3be08468 for UnsupportedResponseTypeError. The vulnerability affects response_types id_token, id_token token, code id_token, code token, and code id_token token.
RemediationAI
Upgrade Authlib to version 1.6.12 or 1.7.1 or later. GitHub releases v1.6.12 and v1.7.1 contain the fix that reorders validation to call the parent's validate_authorization_request() method (which validates redirect_uri against registered client URIs) before performing the openid scope check, ensuring that any error raised carries only a validated redirect_uri. No user-accessible workarounds exist short of patching. If immediate patching is not feasible, partial mitigations include unregistering OpenIDImplicitGrant and OpenIDHybridGrant if Implicit and Hybrid flows are not required-RFC 9700 deprecates the Implicit flow and discourages Hybrid flows, making this a defensible configuration change-or fronting the /authorize endpoint with a reverse proxy that rejects requests combining a redirect_uri parameter with a scope lacking openid when response_type matches id_token, id_token token, code id_token, code token, or code id_token token. The reverse proxy mitigation is fragile and not recommended as a primary control due to implementation complexity and potential for bypass.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Vendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Module for Python 3 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Python 3 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Python 3 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32637
GHSA-r95x-qfjj-fjj2