CVE-2026-44681 Overview
CVE-2026-44681 is an unauthenticated open redirect vulnerability in Authlib, a Python library used to build OAuth and OpenID Connect servers. The flaw exists in the authorization endpoint logic for OpenIDImplicitGrant and OpenIDHybridGrant. A remote attacker can craft an authorization request that omits the openid scope, causing the authorization server to issue an HTTP 302 redirect to an attacker-controlled URL. The issue is tracked as [CWE-601] Open Redirect and is fixed in Authlib versions 1.6.12 and 1.7.1.
Critical Impact
Attackers can abuse trusted authorization server domains to redirect victims to phishing or malware delivery sites, undermining OAuth/OIDC trust boundaries.
Affected Products
- Authlib versions prior to 1.6.12
- Authlib 1.7.0 (fixed in 1.7.1)
- Applications exposing OpenIDImplicitGrant or OpenIDHybridGrant flows
Discovery Timeline
- 2026-05-27 - CVE-2026-44681 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44681
Vulnerability Analysis
The vulnerability resides in the OpenID Connect grant handlers within Authlib's authorization server implementation. When a client submits an authorization request to the /authorize endpoint targeting an OpenID flow, the server evaluates the requested scopes to determine grant behavior. If the request maps to OpenIDImplicitGrant or OpenIDHybridGrant but the openid scope is omitted, the grant handler falls through validation logic and produces an HTTP 302 response. The Location header reflects a redirect_uri value that bypasses the normal registered-client URI validation performed for fully-formed OpenID requests.
The practical outcome is an unauthenticated open redirect from a trusted identity provider domain. Attackers weaponize this for credential phishing, OAuth token theft chains, and bypassing URL allow lists in email security gateways. Because the redirect originates from a legitimate authentication endpoint, users and security tooling are more likely to trust the destination.
Root Cause
The root cause is improper input validation of the redirect_uri parameter when the authorization request fails to declare the openid scope. The grant selector still routes the request through OpenID grant classes, but scope-dependent validation of redirect_uri against registered client metadata is skipped. This results in unvalidated forwarding to user-controlled URLs [CWE-601].
Attack Vector
Exploitation requires only network access to the Authlib-backed authorization endpoint and user interaction with a crafted link. The attacker constructs an authorization URL pointing at the victim authorization server, specifies a response_type consistent with implicit or hybrid flow such as token or code id_token, omits the openid scope, and supplies an attacker-controlled redirect_uri. When a victim clicks the link, the authorization server responds with HTTP 302 and a Location header pointing to the attacker's domain. See the GitHub Security Advisory GHSA-r95x-qfjj-fjj2 for the full technical writeup.
Detection Methods for CVE-2026-44681
Indicators of Compromise
- Authorization endpoint requests using implicit or hybrid response_type values without the openid scope present.
- HTTP 302 responses from /authorize with Location headers pointing to domains outside the registered client allow list.
- Spikes in authorization requests from unusual referrers or with redirect_uri parameters hosted on newly registered or low-reputation domains.
Detection Strategies
- Inspect authorization server access logs for requests where response_type includes token or id_token but scope lacks openid.
- Correlate outbound 302 redirects from the IdP with the configured redirect_uris per client to flag mismatches.
- Hunt for phishing campaigns that reference the organization's IdP domain in their initial URL.
Monitoring Recommendations
- Enable verbose authorization endpoint logging and ingest logs into a centralized SIEM with redirect_uri and scope parsed as fields.
- Alert on any Location header value from the authorization server that does not match a known client redirect URI.
- Track URL reputation for redirect destinations observed in authorization responses.
How to Mitigate CVE-2026-44681
Immediate Actions Required
- Upgrade Authlib to version 1.6.12 (for the 1.6.x branch) or 1.7.1 (for the 1.7.x branch) without delay.
- Audit deployed services that depend on Authlib's OpenID Connect grant classes and inventory all client redirect_uri registrations.
- Review authorization server logs for prior exploitation attempts referencing external redirect_uri values.
Patch Information
The Authlib maintainers fixed the issue in releases 1.6.12 and 1.7.1. Both releases add scope-independent validation of the redirect_uri against the registered client metadata in the OpenIDImplicitGrant and OpenIDHybridGrant handlers. Refer to the GitHub Security Advisory GHSA-r95x-qfjj-fjj2 for patch commits and release notes.
Workarounds
- Disable the OpenIDImplicitGrant and OpenIDHybridGrant flows if they are not required by client applications, and prefer the authorization code flow with PKCE.
- Add a reverse proxy or WAF rule that rejects authorization requests routing to OpenID grants when the scope parameter does not contain openid.
- Enforce strict server-side validation of redirect_uri against the registered client list before any 302 response is emitted.
# Configuration example - upgrade Authlib via pip
pip install --upgrade "authlib>=1.7.1"
# Or for the 1.6.x maintenance branch
pip install --upgrade "authlib>=1.6.12,<1.7.0"
# Verify the installed version
python -c "import authlib; print(authlib.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
