Jump to solution
Verify

FastAPI 0.120.3 breaks `SecurityBase` based dependencies in OpenAPI (Fix)

Fixed
Spec
Package
FastAPI
Fixed In
0.128.4
Python
3.13.8
Verdict
Status
Fixed
Safe for prod
Yes
Risk
Low
Last verified
2026-02-08
Own content ratio
0.50
#14271 ai auth security Version Mismatch Updated: 2026-02-13
Issue #14271

The Fix

pip install fastapi==0.128.4

Based on closed fastapi/fastapi issue #14271 Β· PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -248,6 +248,14 @@ def get_dependant( endpoint_signature = get_typed_signature(call) signature_params = endpoint_signature.parameters + if isinstance(call, SecurityBase): + use_scopes: List[str] = [] + if isinstance(call, (OAuth2, OpenIdConnect)):
repro.py
from uvicorn import run from fastapi import FastAPI, Depends from fastapi.security import OpenIdConnect _oidc = OpenIdConnect( openIdConnectUrl="https://localhost/auth/realms/test/.well-known/openid-configuration", ) app = FastAPI( title="My Application", docs_url="/swagger", redoc_url="/docs", openapi_url="/openapi.json", dependencies=(Depends(_oidc),), ) @app.get("/") async def hello_world(): return {"Hello": "World"} if __name__ == "__main__": run(app=app, port=8080)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A β€” Upgrade to fixed release\npip install fastapi==0.128.4\nWhen NOT to use: Do not use this fix if security schemes are not required in your application.\n\n

Why This Fix Works in Production

  • Trigger: πŸ› 0.120.3 breaks `SecurityBase` based dependencies in OpenAPI
  • Mechanism: Fix security schemes in OpenAPI when added at the top level app.
  • Why the fix works: Fix security schemes in OpenAPI when added at the top level app. (first fixed release: 0.128.4).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • Shows up under Python 3.13.8 in real deployments (not just unit tests).
  • Production symptom (often without a traceback): πŸ› 0.120.3 breaks `SecurityBase` based dependencies in OpenAPI

Proof / Evidence

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
β€œThis was solved by @YuriiMotov in https://github.com/fastapi/fastapi/pull/14266. It was just released in FastAPI 0.120.4. :rocket: :tada:”
@tiangolo Β· 2025-10-31 Β· confirmation Β· source

Failure Signature (Search String)

  • πŸ› 0.120.3 breaks `SecurityBase` based dependencies in OpenAPI
  • openapi_url="/openapi.json",
Copy-friendly signature
signature.txt
Failure Signature ----------------- πŸ› 0.120.3 breaks `SecurityBase` based dependencies in OpenAPI openapi_url="/openapi.json",

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- πŸ› 0.120.3 breaks `SecurityBase` based dependencies in OpenAPI openapi_url="/openapi.json",

Minimal Reproduction

repro.py
from uvicorn import run from fastapi import FastAPI, Depends from fastapi.security import OpenIdConnect _oidc = OpenIdConnect( openIdConnectUrl="https://localhost/auth/realms/test/.well-known/openid-configuration", ) app = FastAPI( title="My Application", docs_url="/swagger", redoc_url="/docs", openapi_url="/openapi.json", dependencies=(Depends(_oidc),), ) @app.get("/") async def hello_world(): return {"Hello": "World"} if __name__ == "__main__": run(app=app, port=8080)

Environment

  • Python: 3.13.8

What Broke

Users cannot authenticate sessions due to missing security features in Swagger UI.

Fix Options (Details)

Option A β€” Upgrade to fixed release Safe default (recommended)

pip install fastapi==0.128.4

When NOT to use: Do not use this fix if security schemes are not required in your application.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/fastapi/fastapi/pull/14266

First fixed release: 0.128.4

Last verified: 2026-02-08. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use this fix if security schemes are not required in your application.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
  • Pin production dependencies and upgrade only with a reproducible test that hits the failing path.

Version Compatibility Table

VersionStatus
0.128.4 Fixed

Related Issues

No related fixes found.

Cluster: fastapi:configuration-error FastAPI hub FastAPI best practices All hubs All clusters
Related clusters: Data consistency Rate limit Race condition

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #14271. Not affiliated with the library maintainers. Verify before production use.