CVE-2026-27982

NameCVE-2026-27982
DescriptionAn open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default), which may allow an attacker to redirect users to an arbitrary external website via a crafted URL.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1130044

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
django-allauth (PTS)bullseye0.44.0+ds-1+deb11u1vulnerable
bookworm0.51.0-1vulnerable
trixie65.0.2-1vulnerable
forky, sid65.15.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
django-allauthsource(unstable)65.15.0-11130044

Notes

[bullseye] - django-allauth <postponed> (Minor issue, open redirect)
https://allauth.org/news/2026/02/django-allauth-65.14.1-released/
Search for package or bug name: Reporting problems