Intel

AIKIDO-2026-598511

social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 25, 2026

59

Medium Risk

This Affects:

PYTHONsocial-auth-core
5.0.0 - 5.0.0
Fixed in 5.0.1
Are you affected? Scan for Free

TL;DR

The partial pipeline resume logic in social_core/utils.py selects the pipeline token before checking whether an external resume needs confirmation. When the request token matches the current session token, the code treats the request as session-owned and resumes immediately, skipping the confirmation step intended for externally resumable partials. As a result, an externally resumable partial link (such as an email validation link) can be consumed by a plain GET in the originating session without the intended confirmation, enabling login CSRF-style consumption of the partial. The fix adds _partial_pipeline_requires_confirmation and reorders token selection so external resumes require explicit confirmation even within the same session.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application enables externally resumable partial pipelines (the allow_external_resume option).

Background info

social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF) in versions 5.0.0 - 5.0.0.

How to fix this

Upgrade the social-auth-core library to the patch version.