## Authlib OAuth Library Found Vulnerable to CSRF Attacks When Cache Feature Is Active
A medium-severity vulnerability in the authlib Python library exposes applications to cross-site request forgery (CSRF) attacks when the cache feature is enabled in OAuth integration clients. The flaw, tracked as GHSA-jj8c-mmj3-mmgv, affects version 1.6.9 and has been patched in version 1.6.11.

The vulnerability exists in `authlib.integrations.starlette_client.OAuth` and related integration modules. When developers use the cache parameter for authentication flows, no CSRF protection mechanism is enforced—unlike standard sessions where SessionMiddleware binds the client to the authorization state. Specifically, the state parameter is extracted from the callback URL and retrieved from the cache without verifying that the same client instance initiated the original auth request. This allows an attacker to potentially intercept or replay authentication flows by crafting malicious redirect URLs that satisfy the state validation, bypassing the intended security checks outlined in RFC 6749 section 10.12.

Applications using authlib's OAuth clients with cache-enabled configurations are at risk, particularly those implementing authentication systems in Starlette, Flask, Django, or other supported frameworks. Developers who rely on SessionMiddleware without the cache parameter are not affected. The maintainers recommend upgrading to version 1.6.11 immediately for any project leveraging the vulnerable cache functionality. Organizations unable to upgrade should review their OAuth callback handlers and consider implementing additional state validation at the application layer until a patch can be applied.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: authlib, OAuth, CSRF, vulnerability, Python
- **Credibility**: unverified
- **Published**: 2026-05-05 00:54:08
- **ID**: 79364
- **URL**: https://whisperx.ai/en/intel/79364