CVE-2026-46715: Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance

May 22, 2026

Flask-Security-Too 5.8.0’s OAuth reauthentication flow can mark a session as fresh after verifying an OAuth account that belongs to a different user.

If an attacker can operate an already-authenticated but stale victim session, they can complete OAuth verification using their own OAuth identity. The victim session is then treated as recently reauthenticated, allowing freshness-protected account actions to proceed. This was reproduced against the built-in /change-username route.

References

github.com/advisories/GHSA-97r5-pg8x-p63p
github.com/pallets-eco/flask-security/security/advisories/GHSA-97r5-pg8x-p63p
nvd.nist.gov/vuln/detail/CVE-2026-46715

Code Behaviors & Features

Detect and mitigate CVE-2026-46715 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →