Primary

Context

django-allauth User Token Handling Vulnerability Leading to Inactive Account Bypass

Vulnerability

A vulnerability exists in django-allauth versions prior to 65.13.0, where marking a user as inactive after tokens had been issued while the account was active did not take effect. This allowed for tokens to remain valid despite the account status change. The issue has been addressed in version 65.13.0, where tokens are now properly rejected if the user's account is marked as inactive.

Impact

Exploitation of this vulnerability allowed for access and refresh tokens to remain valid even after a user's account was marked inactive, potentially leading to unauthorized access.

Remediation

Users can upgrade to django-allauth version 65.13.0 or later to address this vulnerability.

Added: Dec 15, 2025, 2:27 PM

Updated: Dec 15, 2025, 7:01 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

7.4

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

7.4

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

django-allauth User Token Handling Vulnerability Leading to Inactive Account Bypass

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating