CVE-2025-68158

Published: Jan 8, 2026

Modified: Mar 30, 2026

PUBLISHED

CVSS v3.1

5.7

MEDIUM

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.

Vendor	Product	Versions
authlib	authlib	affected `>= 1.0.0, < 1.6.6`

Weaknesses (CWE)

CWE-352

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523

x_refsource_CONFIRM

https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489

x_refsource_MISC

https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-68158

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References