CVE-2026-27982 is an open redirect vulnerability found in the django-allauth library, a popular authentication package for Django web applications. The issue exists in all versions prior to 65.14.1 and manifests when the SAML Identity Provider (IdP) initiated Single Sign-On (SSO) feature is enabled, which is disabled by default. The vulnerability allows an attacker to craft a malicious URL that, when clicked by a user, redirects them to an arbitrary external website. This redirection occurs because the application fails to properly validate or restrict the redirect target URL parameter during the SAML IdP initiated SSO flow. Although the vulnerability does not directly compromise confidentiality or availability, it can be exploited to conduct phishing attacks by redirecting users to malicious sites that mimic legitimate login pages or to sites hosting malware. The attack requires no authentication but does require user interaction (clicking the crafted URL). The CVSS 3.0 base score is 4.3, reflecting a medium severity level due to the limited impact on system integrity and no direct data breach. No known exploits have been reported in the wild as of the publication date. The vulnerability was publicly disclosed on March 5, 2026, and users are advised to upgrade to django-allauth version 65.14.1 or later where the issue is resolved.

The primary impact of this vulnerability is the potential for phishing and social engineering attacks. By exploiting the open redirect, attackers can lure users into visiting malicious websites that appear trustworthy, potentially leading to credential theft, malware infection, or further exploitation. While the vulnerability does not directly expose sensitive data or disrupt service availability, it undermines the integrity of the authentication process and user trust. Organizations relying on django-allauth with SAML IdP initiated SSO enabled may face reputational damage and increased risk of user compromise. The scope is limited to applications that have explicitly enabled this SAML feature, which is not enabled by default, reducing the overall exposure. However, given the widespread use of Django and django-allauth in web applications globally, the risk remains significant for affected deployments.

To mitigate this vulnerability, organizations should upgrade django-allauth to version 65.14.1 or later, where the open redirect issue has been fixed. If immediate upgrading is not feasible, administrators should disable the SAML IdP initiated SSO feature until a patch can be applied, as it is disabled by default and only enabled explicitly. Additionally, implement strict validation of redirect URLs to ensure they point only to trusted internal domains. Web application firewalls (WAFs) can be configured to detect and block suspicious redirect parameters. Educate users to be cautious of unexpected redirects and to verify URLs before clicking. Monitoring logs for unusual redirect patterns can help detect exploitation attempts. Finally, consider employing multi-factor authentication (MFA) to reduce the impact of credential theft resulting from phishing.