Home

Description

An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.

PUBLISHED Reserved 2025-11-18 | Published 2025-12-15 | Updated 2025-12-16 | Assigner mitre

References

allauth.org/news/2025/10/django-allauth-65.13.0-released/

cve.org (CVE-2025-65431)

nvd.nist.gov (CVE-2025-65431)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.