CVE-2026-27982

Root

Cause CVE-2026-27982 is an open redirect vulnerability in django-allauth versions prior to 65.14.1. The flaw resides in the SAML Identity Provider (IdP) initiated SSO feature, which is disabled by default. When enabled, the application uses the RelayState parameter from the SAML authentication response to redirect the user after login without validating the target URL. This allows an attacker to supply a crafted URL that redirects the user to an arbitrary external site [1][3].

Exploitation

Exploitation requires SAML IdP-initiated SSO to be enabled in the django-allauth configuration. An attacker must control or compromise the SAML IdP or craft a malicious SAML response containing a RelayState URL pointing to an external domain. When a user authenticates through the attacker-controlled IdP, the application processes the response and redirects the user to the attacker-specified URL [3][4]. The vulnerability has a CVSS v3 base score of 4.3 (Medium) and a CVSS v4 base score of 5.1 (Medium) [3].

Impact

An authenticated user who completes a SAML login session may be redirected to a phishing or malicious website controlled by the attacker. This can lead to credential theft, malware delivery, or other social engineering attacks, as the user trusts the legitimate application's redirect [3]. The open redirect bypasses browser protections and can be used to undermine the application's integrity.

Mitigation

The vulnerability is fixed in django-allauth version 65.14.1 and later [4]. The update ensures that redirect URLs from RelayState are properly validated against a whitelist or rejected if external. Users who have not enabled SAML IdP-initiated SSO are unaffected, as the feature is disabled by default. No workaround is available other than updating the software [1][3].