GHSA-JJ8C-MMJ3-MMGV

Vulnerability from github – Published: 2026-04-16 22:38 – Updated: 2026-04-16 22:38
VLAI?
Summary
Authlib: Cross-site request forging when using cache
Details

Summary

There is no CSRF protection on the cache feature on most integrations clients.

Details

In authlib.integrations.starlette_client.OAuth, no CSRF protection is set up when using the cache parameter. When not using the cache parameter, the use of SessionMiddleware ties the client to the auth state, preventing CSRF attacks. With the cache, there is no such mechanism. Other integratons have the same issue, it's not just starlette.

The state parameter is taken from the callback URL and the state is fetched from the cache without checking that it is the same client calling the redirect endpoint as was the one that initiated the auth flow.

This issue is documented in RFC 6749 section 10.12: https://datatracker.ietf.org/doc/html/rfc6749#section-10.12

PoC

  • Set up a Starlette integration with a cache
  • The attacker starts the auth flow up until before the callback URL is followed.
  • The attacked sends the redirect URL to the victim
  • The victim now completes the authorisation

Impact

This impacts all users that use the cache to store auth state.

All users will be vulnerable to CSRF attacks and may have an attacker's account tied to their own. In our specific scenario, this allowed attackers to push invoices into a victim's account, ready to be paid. Very serious.

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "authlib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T22:38:03Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThere is no CSRF protection on the cache feature on most integrations clients.\n\n### Details\nIn `authlib.integrations.starlette_client.OAuth`, no CSRF protection is set up when using the cache parameter. When _not_ using the cache parameter, the use of SessionMiddleware ties the client to the auth state, preventing CSRF attacks. With the cache, there is no such mechanism. Other integratons have the same issue, it\u0027s not just starlette.\n\nThe state parameter is taken from the callback URL and the state is fetched from the cache without checking that it is the same client calling the redirect endpoint as was the one that initiated the auth flow.\n\nThis issue is documented in RFC 6749 section 10.12:\nhttps://datatracker.ietf.org/doc/html/rfc6749#section-10.12\n\n### PoC\n- Set up a Starlette integration with a cache\n- The attacker starts the auth flow up until before the callback URL is followed.\n- The attacked sends the redirect URL to the victim\n- The victim now completes the authorisation\n\n### Impact\nThis impacts all users that use the cache to store auth state.\n\nAll users will be vulnerable to CSRF attacks and may have an attacker\u0027s account tied to their own. In our specific scenario, this allowed attackers to push invoices into a victim\u0027s account, ready to be paid. Very serious.",
  "id": "GHSA-jj8c-mmj3-mmgv",
  "modified": "2026-04-16T22:38:03Z",
  "published": "2026-04-16T22:38:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authlib/authlib"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authlib: Cross-site request forging when using cache"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.