SB2026041629 - Cross-site request forgery in authlib
Published: April 16, 2026
Security Bulletin ID
SB2026041629
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site request forgery (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform cross-site request forgery and bind an attacker's account to a victim's session.
The vulnerability exists due to cross-site request forgery in OAuth integrations using the cache feature when handling OAuth callback requests with cached state. A remote attacker can send a crafted redirect URL to the victim to perform cross-site request forgery and bind an attacker's account to a victim's session.
User interaction is required for the victim to complete the authorization flow.
Remediation
Install update from vendor's website.