Intel

AIKIDO-2026-629620

social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

46

Medium Risk

This Affects:

PYTHONsocial-auth-core
0.0.1 - 5.0.1
Fixed in 5.0.2
Are you affected? Scan for Free

TL;DR

The social-auth-core LINE and Shopify OAuth backends complete the login callback without validating the OAuth state parameter against the value stored in the session. The Shopify backend also never sends a state parameter when building its authorization URL, so the callback cannot be tied to the session that started the flow. An attacker can craft a callback request and trick a victim into completing it, logging the victim into an account chosen by the attacker. The fix sends a state value on the Shopify authorization request and validates the callback state in both backends before exchanging the authorization code.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the LINE or Shopify authentication backend.

Background info

social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF) in versions 0.0.1 - 5.0.1.

How to fix this

Upgrade the social-auth-core library to the patch version.