On 7 July 2025, openstreetmap-website changed how third-party tools can authenticate using OSM via OAuth. This fixes a security vulnerability that would have allowed a malicious site to trick a user into providing credentials for some third-party login services. If you run your own instance of openstreetmap-website, you should upgrade to the latest version or backport the fix as soon as possible.
Unfortunately, the fix breaks some Web applications that display OSM’s login page in a popup window. If you have deployed one of the following applications or libraries, please upgrade to avoid breakage:
Thanks to Sam Jose for reporting the security vulnerability. As a reminder, if you find any security issue in software or services on openstreetmap.org, please follow the Operations Working Group’s security reporting policy.