✅ Check your installed version
All known vulnerabilities
CRITICAL9.8CVE-2026-28802Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification >= 1.6.5, < 1.6.7
CRITICAL9.1CVE-2026-27962Authlib JWS JWK Header Injection: Signature Verification Bypass from 0, < 1.6.9
HIGH7.5CVE-2026-28498Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding from 0, < 1.6.9
HIGH7.5CVE-2025-61920Authlib is vulnerable to Denial of Service via Oversized JOSE Segments from 0, < 1.6.5
HIGH7.5CVE-2025-59420Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) from 0, < 1.6.4
HIGH7.4CVE-2024-37568Authlib has algorithm confusion with asymmetric public keys from 0, < 1.3.1
HIGH7.4CVE-2024-37568Authlib has algorithm confusion with asymmetric public keys from 0, < 1.3.1
MEDIUM6.5CVE-2026-28490Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle from 0, < 1.6.9
MEDIUM6.5CVE-2025-62706Authlib : JWE zip=DEF decompression bomb enables DoS from 0, < 1.6.5
MEDIUM6.1CVE-2026-44681Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect >= 1.7.0, < 1.7.1
MEDIUM5.7CVE-2025-68158Authlib has 1-click Account Takeover vulnerability >= 1.0.0, < 1.6.6
MEDIUM5.4CVE-2026-41425Authlib: Cross-site request forging when using cache from 0, < 1.6.11
MEDIUM5.4CVE-2026-41425Authlib: Cross-site request forging when using cache from 0, < 1.6.11