diff --git a/src/pretix/control/views/auth.py b/src/pretix/control/views/auth.py
index cd16cc6c9..62fa6bb9d 100644
--- a/src/pretix/control/views/auth.py
+++ b/src/pretix/control/views/auth.py
@@ -74,7 +74,9 @@ def login(request):
         backend = [b for b in backends if b.visible][0]
     if request.user.is_authenticated:
         next_url = backend.get_next_url(request) or 'control:index'
-        return redirect(next_url)
+        if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
+            return redirect(next_url)
+        return redirect(reverse('control:index'))
     if request.method == 'POST':
         form = LoginForm(backend=backend, data=request.POST)
         if form.is_valid() and form.user_cache and form.user_cache.auth_backend == backend.identifier:
diff --git a/src/tests/control/test_auth.py b/src/tests/control/test_auth.py
index 69c7effbd..97b8baffb 100644
--- a/src/tests/control/test_auth.py
+++ b/src/tests/control/test_auth.py
@@ -90,6 +90,10 @@ class LoginFormTest(TestCase):
         self.assertEqual(response.status_code, 302)
         self.assertIn('/control/events/', response['Location'])
 
+        response = self.client.get('/control/login?next=//evilsite.com')
+        self.assertEqual(response.status_code, 302)
+        self.assertIn('/control/', response['Location'])
+
     def test_logout(self):
         response = self.client.post('/control/login', {
             'email': 'dummy@dummy.dummy',