{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41425", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T15:32:33.814Z", "datePublished": "2026-04-24T19:14:37.904Z", "dateUpdated": "2026-04-27T13:35:01.596Z"}, "containers": {"cna": {"title": "Authlib: Cross-site request forging when using cache", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv"}], "affected": [{"vendor": "authlib", "product": "authlib", "versions": [{"version": "< 1.6.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:14:37.904Z"}, "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11."}], "source": {"advisory": "GHSA-jj8c-mmj3-mmgv", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:09:15.946604Z", "id": "CVE-2026-41425", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:35:01.596Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41425", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:09:15.946604Z"}}}], "references": [{"url": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:09:17.630Z"}}], "cna": {"title": "Authlib: Cross-site request forging when using cache", "source": {"advisory": "GHSA-jj8c-mmj3-mmgv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "authlib", "product": "authlib", "versions": [{"status": "affected", "version": "< 1.6.11"}]}], "references": [{"url": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv", "name": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:14:37.904Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41425", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:35:01.596Z", "dateReserved": "2026-04-20T15:32:33.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T19:14:37.904Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B4A35D6-9096-4D0B-8773-E6B16388069F", "versionEndExcluding": "1.6.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11."}], "id": "CVE-2026-41425", "lastModified": "2026-04-28T18:18:26.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T20:16:27.107", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "authlib", "source": "cna", "vendor": "authlib"}, "product": "authlib", "vendor": "authlib"}], "analysis": {"en": {"generated_at": "2026-04-28T13:35:16.257730+00:00", "value": {"mitigation_remediation": ["Upgrade Authlib to version 1.6.11 or later, which adds CSRF protection for the cache feature.", "If an immediate upgrade is not possible, add CSRF safeguards such as enforcing same\u2011site cookies or inserting explicit CSRF tokens into the OAuth flow used by the application.", "Alternatively, disable or avoid using the cache feature in authlib.integrations.starlette_client.OAuth until the patch is applied."], "summary": {"action": "Apply patch", "impact": "Cross\u2011site request forgery that permits an attacker to forge requests via the cache feature"}, "threat_synthesis": {"affected_systems": "The flaw applies to any deployment of Authlib prior to version 1.6.11 that uses the authlib.integrations.starlette_client.OAuth module. Any Python application incorporating Authlib for OAuth authentication and enabling the cache functionality is potentially affected.", "description_and_impact": "Authlib, a Python library for OAuth and OpenID Connect servers, had a flaw in the cache feature of its Starlette client integration where no CSRF protection was in place. Because of this, malicious actors could trick users into sending requests that the application would process as if they were legitimate. The vulnerability is categorized as CWE\u2011352 (Cross\u2011Site Request Forgery).", "risk_and_exploitability": "The CVSS score of 5.4 indicates a medium severity rating. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to target a user who has already authenticated with the application and use the cache function to form a forged request. The attack vector is likely browser\u2011based and requires the victim to interact with the attacker\u2019s web content, which reduces but does not eliminate exploitability."}}}}, "created": "2026-04-27T20:15:12.105781+00:00", "updated": "2026-04-28T13:45:06.132603+00:00", "vendors": ["authlib", "authlib$PRODUCT$authlib"]}