What is GHSA-qhmc-3mvr-f2j4?

GHSA-qhmc-3mvr-f2j4 is a security advisory published by GitHub Security Advisories with Medium severity. django-allauth does not reject access tokens for inactive users

Which CVE IDs does GHSA-qhmc-3mvr-f2j4 cover?

GHSA-qhmc-3mvr-f2j4 covers the following CVE IDs: CVE-2025-65430. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-qhmc-3mvr-f2j4?

GHSA-qhmc-3mvr-f2j4 has a CVSS v3 base score of 5.4, published by GitHub Security Advisories.

Which products are affected by GHSA-qhmc-3mvr-f2j4?

GHSA-qhmc-3mvr-f2j4 affects 1 product, including: pip/django-allauth:\u003c 65.13.0.

GHSA-qhmc-3mvr-f2j4MediumCVSS 5.4

django-allauth does not reject access tokens for inactive users

Vendor

GitHub Security Advisories

Published

December 15, 2025

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2025-65430 →

📋 Description

An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.

🎯 Affected products1

pip/django-allauth:< 65.13.0

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2025-65430
https://allauth.org/news/2025/10/django-allauth-65.13.0-released
https://github.com/pennersr/django-allauth/commit/39f4a4ce9c891795b00914ca5ec32de72d5369c0
https://github.com/pennersr/django-allauth/commit/c54edf947c5a1c8c4ff3cddb75c86000ecb2507d
https://github.com/pypa/advisory-database/tree/main/vulns/django-allauth/PYSEC-2025-110.yaml
https://github.com/advisories/GHSA-qhmc-3mvr-f2j4