Intel

AIKIDO-2026-693285

social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

45

Medium Risk

This Affects:

PYTHONsocial-auth-core
0.0.1 - 4.9.1
Fixed in 5.0.0
Are you affected? Scan for Free

TL;DR

The library implements OAuth, SAML, and partial-pipeline authentication across many provider backends. Several flows accept an authorization callback without binding it to the user's session: the twilio and loginradius backends do not validate a state parameter, partial pipeline resume is not tied to session ownership, and the SAML backend does not validate the response against the original AuthnRequest. An attacker can abuse these gaps to perform login CSRF, replay or inject SAML responses, and confuse account identities, leading to account takeover, and related backends such as vk, vend, and odnoklassniki also trust unverified callback data. The fix enforces callback state validation, binds partial pipeline resume to session ownership or explicit confirmation, validates the SAML InResponseTo value, and verifies returned user identities.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF) in versions 0.0.1 - 4.9.1.

How to fix this

Upgrade the social-auth-core library to the patch version.