Cyber Resilience

CVE-2025-68158

MediumPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0024 14.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-68158 is a medium-severity CSRF (CWE-352) vulnerability in Authlib Authlib. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2025-68158 affects Authlib, a Python library for building OAuth and OpenID Connect servers, specifically in versions 1.0.0 through 1.6.5. The vulnerability stems from cache-backed state and request-token storage not being tied to the initiating user session. When a cache is supplied to the OAuth client registry, the FrameworkIntegration.set_state_data function writes the entire state blob under a key like _state_{app}_{state}, while get_state_data ignores the caller's session entirely. This flaw, classified as CWE-352 (Cross-Site Request Forgery), carries a CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) and was published on 2026-01-08.

An attacker can exploit this vulnerability by obtaining a valid state value, which is easily acquired through an attacker-initiated authentication flow. With low privileges (PR:L) and requiring user interaction (UI:R), the attacker can perform a CSRF attack over the network (AV:N). Successful exploitation allows high confidentiality impact (C:H), such as unauthorized access to sensitive state data or tokens not bound to the victim's session.

The issue has been addressed in Authlib version 1.6.6. Security advisories and patch commits, including those at GHSA-fg6f-75jq-6523 and specific GitHub changes like 2808378611dd6fb2532b189a9087877d8f0c0489 and 7974f45e4d7492ab5f527577677f2770ce423228, detail the fix to properly associate state storage with user sessions. Practitioners should upgrade to 1.6.6 or later and review cache configurations in OAuth integrations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state…

more

(easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

CSRF flaw in OAuth state/token storage enables attackers to obtain and misuse application access tokens via session-independent cache keys.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27962Same product: Authlib Authlib
CVE-2026-28498Same product: Authlib Authlib
CVE-2026-28802Same product: Authlib Authlib
CVE-2025-30603Shared CWE-352
CVE-2025-30564Shared CWE-352
CVE-2025-23424Shared CWE-352
CVE-2025-25135Shared CWE-352
CVE-2025-31566Shared CWE-352
CVE-2025-23467Shared CWE-352
CVE-2025-55046Shared CWE-352

Affected Assets

authlib
authlib
≤ 1.6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic or equivalent binding of session state to the authenticated user session, directly eliminating the cache key (_state_{app}_{state}) that ignores the caller's session.

prevent

Enforces that OAuth state/request-token data may be retrieved or acted upon only by the subject that initiated the authentication flow, blocking attacker-supplied state values.

prevent

Enforces information-flow rules that confine OAuth state tokens to the originating session context rather than a globally addressable cache.

References