AIKIDO-2026-10265
django-request-token is vulnerable to Improper Authentication
56
Medium Risk
This Affects:
django-request-tokenTL;DR
Affected versions of this package allowed @use_request_token(scope="...") to be applied without explicitly setting required, which previously defaulted to False and silently allowed token-less requests to pass through, creating a misleading access-control footgun. An attacker could exploit this by calling endpoints decorated with @use_request_token(...) without providing any token, bypassing the intended token-gated protection and reaching privileged handlers to read sensitive data or trigger unauthorized state-changing actions, depending on what those routes expose.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range or if you didn't explicitly set required=True on endpoints or views that rely on token validation.
Background info
django-request-token is vulnerable to Improper Authentication in versions 0.10.0 - 2.4.0.
How to fix this
Upgrade the django-request-token library to the patch version or set required=True.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant