Jump to solution
Verify

Celery `auth` seems to be horribly broken (Fix)

Fixed
Spec
Package
Celery
Fixed In
4.4.0rc5
Python
3.6
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.38
#5056 ai auth caching crash llm queues Authentication Issue Updated: 2026-02-13
Issue #5056

The Fix

pip install celery==4.4.0rc5

Based on closed celery/celery issue #5056 · PR/commit linked

Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.

Jump to Verify Open PR/Commit
@@ -42,7 +42,7 @@ from . import backends from .annotations import prepare as prepare_annotations -from .defaults import find_deprecated_settings +from .defaults import find_deprecated_settings, DEFAULT_SECURITY_DIGEST from .registry import TaskRegistry
repro.py
software -> celery:4.2.1 (windowlicker) kombu:4.2.1 py:3.6.6 billiard:3.5.0.4 redis:2.10.6 platform -> system:Linux arch:64bit imp:CPython loader -> celery.loaders.app.AppLoader settings -> transport:redis results:redis://redis:6379/ [... Django-related settings redacted ...] CELERY_ACCEPT_CONTENT: ['auth'] CELERY_BROKER_URL: 'redis://redis:6379//' CELERY_RESULT_BACKEND: 'redis://redis:6379/' CELERY_RESULT_SERIALIZER: 'auth' CELERY_SECURITY_CERTIFICATE: '/private/keys/celery/public.pem' CELERY_SECURITY_CERT_STORE: '/private/keys/celery/*.pem' CELERY_SECURITY_KEY: '********' CELERY_TASK_SERIALIZER: 'auth'
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install celery==4.4.0rc5\nWhen NOT to use: Do not use this fix if your application requires backward compatibility with older serializers.\n\n

Why This Fix Works in Production

  • Trigger: [2018-09-10 02:33:07,446: CRITICAL/MainProcess] Unrecoverable error: ContentDisallowed('Refusing to deserialize disabled content of type json…
  • Mechanism: The security setup in Celery fails silently if the task serializer is not set to 'auth'
  • Why the fix works: Improves message signing in Celery, addressing the issues related to silent failures and unsigned messages. (first fixed release: 4.4.0rc5).
Production impact:
  • If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.

Why This Breaks in Prod

  • Shows up under Python 3.6 in real deployments (not just unit tests).
  • The security setup in Celery fails silently if the task serializer is not set to 'auth'
  • Surfaces as: [2018-09-10 02:33:07,446: CRITICAL/MainProcess] Unrecoverable error: ContentDisallowed('Refusing to deserialize disabled content of type json (application/json)',)

Proof / Evidence

  • GitHub issue: #5056
  • Fix PR: https://github.com/celery/celery/pull/5091
  • First fixed release: 4.4.0rc5
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.38

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“@bpereto you are welcome for the contribution!”
@auvipy · 2018-10-02 · source
“a locally runned test with python setup.py test shows the unittest coverage of the celery.security is 100%. The tests are only running if pyOpenSSL ist…”
@0asys · 2018-10-05 · source
“why is the install of pyOpenSSL disabled in tox? requirements/test-ci-default.txt”
@0asys · 2018-10-05 · source
“please open related PR's and we can discuss thing better there.”
@auvipy · 2018-10-06 · source

Failure Signature (Search String)

  • [2018-09-10 02:33:07,446: CRITICAL/MainProcess] Unrecoverable error: ContentDisallowed('Refusing to deserialize disabled content of type json (application/json)',)

Error Message

Stack trace
error.txt
Error Message ------------- [2018-09-10 02:33:07,446: CRITICAL/MainProcess] Unrecoverable error: ContentDisallowed('Refusing to deserialize disabled content of type json (application/json)',) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/celery/worker/worker.py", line 205, in start self.blueprint.start(self) File "/usr/lib/python3.6/site-packages/celery/bootsteps.py", line 119, in start step.start(parent) File "/usr/lib/python3.6/site-packages/celery/bootsteps.py", line 369, in start return self.obj.start() File "/usr/lib/python3.6/site-packages/celery/worker/consumer/consumer.py", line 317, in start blueprint.start(self) File "/usr/lib/python3.6/site-packages/celery/bootsteps.py", line 119, in start step.start(parent) File "/usr/lib/python3.6/site-packages/celery/worker/consumer/consumer.py", line 593, in start c.loop(*c.loop_args()) File "/usr/lib/python3.6/site-packages/celery/worker/loops.py", line 91, in asynloop next(loop) File "/usr/lib/python3.6/site-packages/kombu/asynchronous/hub.py", line 354, in create_loop cb(*cbargs) File "/usr/lib/python3.6/site-packages/kombu/transport/redis.py", line 1040, in on_readable self.cycle.on_readable(fileno) File "/usr/lib/python3.6/site-packages/kombu/transport/redis.py", line 337, in on_readable chan.handlers[type]() File "/usr/lib/python3.6/site-packages/kombu/transport/ ... (truncated) ...

Minimal Reproduction

repro.py
software -> celery:4.2.1 (windowlicker) kombu:4.2.1 py:3.6.6 billiard:3.5.0.4 redis:2.10.6 platform -> system:Linux arch:64bit imp:CPython loader -> celery.loaders.app.AppLoader settings -> transport:redis results:redis://redis:6379/ [... Django-related settings redacted ...] CELERY_ACCEPT_CONTENT: ['auth'] CELERY_BROKER_URL: 'redis://redis:6379//' CELERY_RESULT_BACKEND: 'redis://redis:6379/' CELERY_RESULT_SERIALIZER: 'auth' CELERY_SECURITY_CERTIFICATE: '/private/keys/celery/public.pem' CELERY_SECURITY_CERT_STORE: '/private/keys/celery/*.pem' CELERY_SECURITY_KEY: '********' CELERY_TASK_SERIALIZER: 'auth'

Environment

  • Python: 3.6

What Broke

Workers process unsigned messages, leading to potential security vulnerabilities.

Why It Broke

The security setup in Celery fails silently if the task serializer is not set to 'auth'

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install celery==4.4.0rc5

When NOT to use: Do not use this fix if your application requires backward compatibility with older serializers.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/celery/celery/pull/5091

First fixed release: 4.4.0rc5

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use this fix if your application requires backward compatibility with older serializers.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
  • Pin production dependencies and upgrade only with a reproducible test that hits the failing path.

Version Compatibility Table

VersionStatus
4.4.0rc5 Fixed

Related Issues

No related fixes found.

Cluster: celery:configuration-error Celery hub Celery best practices All hubs All clusters
Related clusters: Data consistency Duplicates Duplicate processing

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #5056. Not affiliated with the library maintainers. Verify before production use.