—
PYSEC-2026-1932
Python Social Auth - Django has unsafe account association
Details
### Impact
Upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.
### Patches
* https://github.com/python-social-auth/social-app-django/pull/803
### Workarounds
Review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / social-auth-app-django
Introduced in:
0 Fixed in: 5.6.0 Fix
pip install --upgrade 'social-auth-app-django>=5.6.0' References
- https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-61783 [ADVISORY]
- https://github.com/python-social-auth/social-app-django/issues/220 [WEB]
- https://github.com/python-social-auth/social-app-django/issues/231 [WEB]
- https://github.com/python-social-auth/social-app-django/issues/634 [WEB]
- https://github.com/python-social-auth/social-app-django/pull/803 [WEB]
- https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c [WEB]
- https://github.com/python-social-auth/social-app-django [PACKAGE]
- https://pypi.org/project/social-auth-app-django [PACKAGE]
- https://github.com/advisories/GHSA-wv4w-6qv2-qqfg [ADVISORY]