Cross-Site Request Forgery Vulnerability in Authlib Python Library
CVE-2025-68158

5.7MEDIUM

Key Information:

Vendor

Authlib

Status
Authlib
Vendor
CVE Published:
8 January 2026

What is CVE-2025-68158?

The Authlib library, which facilitates the development of OAuth and OpenID Connect servers, has a vulnerability that permits Cross-Site Request Forgery (CSRF) attacks in versions 1.6.5 and earlier. This occurs because the library's cache-backed state/request-token storage does not associate state management with the user session that initiated the request. As a result, attackers who can obtain a valid state—potentially through repeating an authentication flow—can execute unauthorized actions. This issue has been resolved in version 1.6.6, where proper session ties have been implemented.

Affected Version(s)

authlib >= 1.0.0, < 1.6.6

References

https://github.com/authlib/authlib/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/2808378611dd6fb...
x_refsource_MISC
https://github.com/authlib/authlib/commit/7974f45e4d7492a...
x_refsource_MISC

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.