PYSEC-2026-1931

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/social-auth-app-django/PYSEC-2026-1931.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2026-1931
Aliases
Published
2026-07-07T11:45:40.057313Z
Modified
2026-07-07T17:46:24.530891689Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
social-auth-app-django affected by Improper Handling of Case Sensitivity
Details

Impact

Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.

Patches

This issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix released in 5.4.1.

Workarounds

An immediate workaround would be to change collation of the affected field:

ALTER TABLE `social_auth_usersocialauth` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;

References

This issue was discovered by folks at https://opencraft.com/.

References

Affected packages

PyPI / social-auth-app-django

Package

Name
social-auth-app-django
View open source insights on deps.dev
Purl
pkg:pypi/social-auth-app-django

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.4.1

Affected versions

0.*
0.0.1
0.1.0
1.*
1.0.0
1.0.1
1.1.0
1.2.0
2.*
2.0.0
2.1.0
3.*
3.0.0
3.1.0
3.3.0
3.4.0
4.*
4.0.0
5.*
5.0.0
5.1.0
5.2.0
5.3.0
5.4.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/social-auth-app-django/PYSEC-2026-1931.yaml"