Allauth

allauth

3 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (3)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-27982 1Allauth 1Allauth Mar 9, 2026 Mar 5, 2026 5.1 MEDIUM· v4 6.1 MEDIUM· v3 N/A· v2 An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default), which may allow an attacker to redirect users to an arbitrary external...Show more An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default), which may allow an attacker to redirect users to an arbitrary external website via a crafted URL.Show less
CVE-2025-65431 1Allauth 1Allauth Dec 23, 2025 Dec 15, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided f...Show more An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.Show less
CVE-2025-65430 1Allauth 1Allauth Jan 20, 2026 Dec 15, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens...Show more An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.Show less