Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1274

NIXPKGS-2026-1274
published on
Permalink CVE-2026-41425
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 8 hours ago
  • @LeSuisse ignored
    15 packages
    • python312Packages.oauthlib
    • python313Packages.oauthlib
    • python314Packages.oauthlib
    • python312Packages.hawkauthlib
    • python313Packages.hawkauthlib
    • python314Packages.hawkauthlib
    • python312Packages.aiohttp-oauthlib
    • python313Packages.aiohttp-oauthlib
    • python314Packages.aiohttp-oauthlib
    • python312Packages.requests-oauthlib
    • python313Packages.requests-oauthlib
    • python314Packages.requests-oauthlib
    • python312Packages.google-auth-oauthlib
    • python313Packages.google-auth-oauthlib
    • python314Packages.google-auth-oauthlib
    3 hours ago
  • @LeSuisse accepted 3 hours ago
  • @LeSuisse published on GitHub 3 hours ago
Authlib: Cross-site request forging when using cache

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

Affected products

authlib
  • ==< 1.6.11

Matching in nixpkgs

Ignored packages (15)

Package maintainers