AIKIDO-2026-10241

django-allauth is vulnerable to Insufficient Verification of Data Authenticity

Insufficient Verification of Data Authenticity Pre-CVE Published Feb 25, 2026

Medium Risk

This Affects:

django-allauth

0.0.1 - 65.14.1

Fixed in 65.14.2

Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to rate-limit bypass due to improper client IP address validation. The default implementation trusts the X-Forwarded-For HTTP header to determine the client IP address, which can be spoofed by an attacker to evade authentication and signup rate-limiting protections. This allows malicious users to bypass security controls such as login or registration throttling. The issue is fixed by distrusting the X-Forwarded-For header by default and requiring explicit proxy configuration or custom client IP resolution.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

django-allauth is vulnerable to Insufficient Verification of Data Authenticity in versions 0.0.1 - 65.14.1.

How to fix this

Upgrade the django-allauth library to the patch version. X-Forwarded-For is distrusted by default. You must either configure ALLAUTH_TRUSTED_PROXY_COUNT, rely on ALLAUTH_TRUSTED_CLIENT_IP_HEADER, or override get_client_ip().