—
PYSEC-2026-1932
Python Social Auth - Django has unsafe account association
상세
### Impact
Upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.
### Patches
* https://github.com/python-social-auth/social-app-django/pull/803
### Workarounds
Review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
PyPI / social-auth-app-django
최초 영향 버전:
0 수정 버전: 5.6.0 수정
pip install --upgrade 'social-auth-app-django>=5.6.0' 참고
- https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-61783 [ADVISORY]
- https://github.com/python-social-auth/social-app-django/issues/220 [WEB]
- https://github.com/python-social-auth/social-app-django/issues/231 [WEB]
- https://github.com/python-social-auth/social-app-django/issues/634 [WEB]
- https://github.com/python-social-auth/social-app-django/pull/803 [WEB]
- https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c [WEB]
- https://github.com/python-social-auth/social-app-django [PACKAGE]
- https://pypi.org/project/social-auth-app-django [PACKAGE]
- https://github.com/advisories/GHSA-wv4w-6qv2-qqfg [ADVISORY]