JVN#23669411
django-allauth vulnerable to open redirect
Overview
django-allauth contains an open redirect vulnerability.
Products Affected
- django-allauth versions prior to 65.14.1
Description
django-allauth is a package for implementing user authentication in Django applications. django-allauth contains the following vulnerability.
- Open redirect (CWE-601)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2026-27982
Impact
An open redirect vulnerability exists in django-allauth when SAML IdP initiated SSO is enabled (it is disabled by default), which may allow an attacker to redirect users to an arbitrary external website via a crafted URL.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| allauth | django-allauth 65.14.1 released |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Ayato Shitomi of Fore-Z co.ltd and Funabiki Keisuke of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to the developer and coordinated. After the coordination was completed, Ayato Shitomi and Funabiki Keisuke reported the case to JPCERT/CC to notify users of the solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2026-27982 |
| JVN iPedia |
JVNDB-2026-000034 |