Security update for python-Authlib SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20257-1 Final 1 1 2026-02-19T13:21:50Z current 2026-02-19T13:21:50Z 2026-02-19T13:21:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Authlib This update for python-Authlib fixes the following issues: Changes in python-Authlib: - CVE-2025-68158: Fixed 1-click account takeover in applications that use the Authlib library (bsc#1256414) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-packagehub-135 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1256414 SUSE Bug 1256414 https://www.suse.com/security/cve/CVE-2025-68158/ SUSE CVE CVE-2025-68158 page openSUSE Leap 16.0 python313-Authlib-1.5.2-bp160.2.1 python313-Authlib-1.5.2-bp160.2.1 as a component of openSUSE Leap 16.0 Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller's session altogether. This issue has been patched in version 1.6.6. CVE-2025-68158 openSUSE Leap 16.0:python313-Authlib-1.5.2-bp160.2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-68158.html CVE-2025-68158 https://bugzilla.suse.com/1256414 SUSE Bug 1256414