Y011D4

**Name of the Vulnerable Software and Affected Versions** Authlib versions prior to 1.6.12 Authlib versions prior to 1.7.1 **Description** An unauthenticated open redirect exists in the authorization endpoint of the `OpenIDImplicitGrant` and `OpenIDHybridGrant` components. A remote attacker can cause the authorization server to issue an HTTP 302 redirect to an arbitrary, attacker-chosen URL by submitting an authorization request that omits the `openid` scope. This occurs because the `validate authorization request()` function in both grants performs the scope check before validating the `redirect uri` against the registered client URIs. Consequently, the `InvalidScopeError` is triggered using an unvalidated `redirect uri` variable, which the `OAuth2Error. call ` function then processes as a redirect location. **Recommendations** Update to version 1.6.12 or 1.7.1. As a temporary mitigation, unregister `OpenIDImplicitGrant` and `OpenIDHybridGrant` if Implicit and Hybrid flows are not required.