GHSA-r95x-qfjj-fjj2 MEDIUM pip/authlib

CVE: CVE-2026-44681

Summary

An unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope.

Details

Vulnerable code

OpenIDImplicitGrant.validate_authorization_request in authlib/oidc/core/grants/implicit.py:

def validate_authorization_request(self):
    if not is_openid_scope(self.request.payload.scope):
        raise InvalidScopeError(
            "Missing 'openid' scope",
            redirect_uri=self.request.payload.redirect_uri,  # ← raw, unvalidated
            redirect_fragment=True,
        )
    redirect_uri = super().validate_authorization_request()
    ...

OpenIDHybridGrant.validate_authorization_request in authlib/oidc/core/grants/hybrid.py shares the same pattern.

Root cause

Both methods perform the openid scope presence check before delegating to super().validate_authorization_request(), which is where AuthorizationEndpointMixin.validate_authorization_redirect_uri validates the requested redirect_uri against the client's check_redirect_uri(...). The InvalidScopeError thrown by the scope check therefore carries attacker-controlled self.request.payload.redirect_uri.

OAuth2Error.__call__ in authlib/oauth2/base.py renders any error with a non-empty redirect_uri as an HTTP 302:

def __call__(self, uri=None):
    if self.redirect_uri:
        params = self.get_body()
        loc = add_params_to_uri(self.redirect_uri, params, self.redirect_fragment)
        return 302, "", [("Location", loc)]
    return super().__call__(uri=uri)

A malformed authorization request that selects OpenIDImplicitGrant or OpenIDHybridGrant and omits the openid scope is therefore redirected to a fully attacker-chosen URL.

This is a variant of the issue fixed in commit [3be08468](https://github.co

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44681 | 📅 2026-05-13