Components Vulnerabilities Pricing MCP API

Authlib

0.4

Authlib 0.4

PublishedJan 31, 2018•Policy

compliance

Developer Trust Score

N/A

Recommended Version:x.y.z

Latest version with 0 known vulnerabilities that meets your policy.

Compare Versions

Severity

Critical (0)

High (1)

Medium (0)

Low (0)

CVSS Score

0.010.0

EPSS Score

0.01.0

Malware

KEV StatusPublished

8.8CVE-2025-68158

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.

PublishedJan 9, 2026