CVE-2026-44681

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.12 Authlib versions prior to 1.7.1

Description An unauthenticated open redirect exists in the authorization endpoint of the OpenIDImplicitGrant and OpenIDHybridGrant components. A remote attacker can cause the authorization server to issue an HTTP 302 redirect to an arbitrary, attacker-chosen URL by submitting an authorization request that omits the openid scope. This occurs because the validate authorization request() function in both grants performs the scope check before validating the redirect uri against the registered client URIs. Consequently, the InvalidScopeError is triggered using an unvalidated redirect uri variable, which the OAuth2Error. call function then processes as a redirect location.

Recommendations Update to version 1.6.12 or 1.7.1. As a temporary mitigation, unregister OpenIDImplicitGrant and OpenIDHybridGrant if Implicit and Hybrid flows are not required.