{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68158", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-15T23:02:17.604Z", "datePublished": "2026-01-08T17:58:17.724Z", "dateUpdated": "2026-03-30T12:20:39.207Z"}, "containers": {"cna": {"title": "Authlib: 1-click Account Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523"}, {"name": "https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489", "tags": ["x_refsource_MISC"], "url": "https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489"}, {"name": "https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228", "tags": ["x_refsource_MISC"], "url": "https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228"}], "affected": [{"vendor": "authlib", "product": "authlib", "versions": [{"version": ">= 1.0.0, < 1.6.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T12:20:39.207Z"}, "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller\u2019s session altogether. This issue has been patched in version 1.6.6."}], "source": {"advisory": "GHSA-fg6f-75jq-6523", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T18:19:47.500891Z", "id": "CVE-2025-68158", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T18:20:43.016Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68158", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T18:19:47.500891Z"}}}], "references": [{"url": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T18:19:50.211Z"}}], "cna": {"title": "Authlib: 1-click Account Takeover", "source": {"advisory": "GHSA-fg6f-75jq-6523", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "authlib", "product": "authlib", "versions": [{"status": "affected", "version": ">= 1.0.0, < 1.6.6"}]}], "references": [{"url": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523", "name": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489", "name": "https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228", "name": "https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller\u2019s session altogether. This issue has been patched in version 1.6.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T12:20:39.207Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68158", "state": "PUBLISHED", "dateUpdated": "2026-03-30T12:20:39.207Z", "dateReserved": "2025-12-15T23:02:17.604Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T17:58:17.724Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E0D5D7A-D21C-445C-83BA-4DD3C66C5A0E", "versionEndExcluding": "1.6.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller\u2019s session altogether. This issue has been patched in version 1.6.6."}], "id": "CVE-2025-68158", "lastModified": "2026-03-30T13:16:21.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-08T18:15:59.060", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Authlib: Authlib: Cross-Site Request Forgery due to improper session management in state storage", "id": "2428102", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428102"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-352", "details": ["A flaw was found in Authlib, a Python library used for building OAuth and OpenID Connect servers. The cache-backed state and request-token storage within Authlib is not securely linked to the user's initiating session. This vulnerability allows a remote attacker to exploit a Cross-Site Request Forgery (CSRF) by obtaining a valid state, which can lead to unauthorized actions being performed on behalf of the user."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-68158", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-25/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/lightspeed-chatbot-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite/foreman-mcp-server-rhel9", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-01-08T17:58:17Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-68158\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68158\nhttps://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489\nhttps://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228\nhttps://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523"], "statement": "This vulnerability is rated Moderate for Red Hat products utilizing Authlib, such as Red Hat Ansible Automation Platform, Hosted OpenShift Clusters, Red Hat Quay, and Red Hat Satellite. The flaw arises from improper session management in Authlib's cache-backed state storage, allowing a remote attacker to perform Cross-Site Request Forgery (CSRF) by obtaining a valid state.", "threat_severity": "Moderate"}

{"created": "2026-01-09T13:24:19.814333+00:00", "updated": "2026-01-09T13:24:19.814389+00:00", "vendors": ["authlib", "authlib$PRODUCT$authlib"]}