Jump to solution
Verify

FastAPI Regression between 0.113.0 and 0.114.0: OAuth2PasswordRequestForm used to accept (Fix)

Fixed
Spec
Package
FastAPI
Fixed In
0.128.5
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.59
#12240 ai auth security tls Updated: 2026-02-13
Issue #12240

The Fix

pip install fastapi==0.128.5

Based on closed fastapi/fastapi issue #12240 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -902,8 +902,9 @@ async def process_fn( if value is not None: values[field.alias] = value + field_aliases = {field.alias for field in body_fields} for key, value in received_body.items(): - if key not in values:
repro.py
grant_type: Annotated[ Union[str, None], Form(), Doc( """ The OAuth2 spec says it is required and MUST be the fixed string "password". Nevertheless, this dependency class is permissive and allows not passing it. If you want to enforce it, use instead the `OAuth2PasswordRequestFormStrict` dependency. """ ), ] = "password",
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install fastapi==0.128.5\nWhen NOT to use: Do not use this fix if strict validation of grant_type is required.\n\n

Why This Fix Works in Production

  • Trigger: Regression between 0.113.0 and 0.114.0: OAuth2PasswordRequestForm used to accept grant_type=""
  • Mechanism: A regression caused form values with empty strings to be interpreted as missing
  • Why the fix works: Fixed a regression that caused form values with empty strings to be interpreted as missing. (first fixed release: 0.128.5).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • A regression caused form values with empty strings to be interpreted as missing
  • Production symptom (often without a traceback): Regression between 0.113.0 and 0.114.0: OAuth2PasswordRequestForm used to accept grant_type=""

Proof / Evidence

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“This was fixed by https://github.com/fastapi/fastapi/pull/13537 and available in FastAPI 0.123.2 🎉”
@YuriiMotov · 2025-12-03 · source
“@Kludex I don't know if this is the correct way, but we can change this code by replacing the form pattern with the default value.…”
@sinisaos · 2024-09-22 · source
“Is there any objection to this proposed fix?”
@rbubley · 2024-10-15 · source
“Investigating this report, I was able to trace the origin of the problem and opened a new discussion here https://github.com/fastapi/fastapi/discussions/12536 as it broadly concerns Forms”
@luzzodev · 2024-10-25 · source

Failure Signature (Search String)

  • Regression between 0.113.0 and 0.114.0: OAuth2PasswordRequestForm used to accept grant_type=""
Copy-friendly signature
signature.txt
Failure Signature ----------------- Regression between 0.113.0 and 0.114.0: OAuth2PasswordRequestForm used to accept grant_type="" from fastapi import Depends, FastAPI, HTTPException, status

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- Regression between 0.113.0 and 0.114.0: OAuth2PasswordRequestForm used to accept grant_type="" from fastapi import Depends, FastAPI, HTTPException, status

Minimal Reproduction

repro.py
grant_type: Annotated[ Union[str, None], Form(), Doc( """ The OAuth2 spec says it is required and MUST be the fixed string "password". Nevertheless, this dependency class is permissive and allows not passing it. If you want to enforce it, use instead the `OAuth2PasswordRequestFormStrict` dependency. """ ), ] = "password",

What Broke

OAuth2PasswordRequestForm fails to accept empty grant_type, causing authentication issues.

Why It Broke

A regression caused form values with empty strings to be interpreted as missing

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install fastapi==0.128.5

When NOT to use: Do not use this fix if strict validation of grant_type is required.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/fastapi/fastapi/pull/13537

First fixed release: 0.128.5

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use this fix if strict validation of grant_type is required.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
0.128.5 Fixed

Related Issues

No related fixes found.

Cluster: fastapi:configuration-error FastAPI hub FastAPI best practices All hubs All clusters
Related clusters: Data consistency Rate limit Race condition

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #12240. Not affiliated with the library maintainers. Verify before production use.