Intel

AIKIDO-2026-971080

social-auth-app-django is vulnerable to Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 6 days ago

59

Medium Risk

This Affects:

PYTHONsocial-auth-app-django
0.0.1 - 5.9.0
Fixed in 6.0.0
Are you affected? Scan for Free

TL;DR

The Django social authentication views expose login initiation and externally resumed partial pipelines. Before the fix, the login begin view accepted GET requests by default, so a cross-site request could silently start a social login in a victim's browser and drive their authentication flow (login CSRF). The same release also adds a server-generated nonce confirmation page that must be submitted before an externally resumed partial pipeline continues, closing a related forged or replayed resume path. The fix makes the login views always require POST and renders the confirmation page for external partial-pipeline resumes.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application exposes the social authentication login or partial-pipeline resume endpoints.

Background info

social-auth-app-django is vulnerable to Cross-Site Request Forgery (CSRF) in versions 0.0.1 - 5.9.0.

How to fix this

Upgrade the social-auth-app-django library to the patch version.