Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAJVoTUvO-ZdkgV471qXvwpSuzuRs+NzdQCkL=PWfpH2JXX_3AQ@mail.gmail.com>
Date: Wed, 3 Jun 2026 10:27:08 -0300
From: Natalia Bidart <nataliabidart@...ngoproject.com>
To: oss-security@...ts.openwall.com
Cc: Django Security Team <security@...ngoproject.com>
Subject: Django CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,
 and CVE-2026-48587

* Announce:
https://www.djangoproject.com/weblog/2026/jun/03/security-releases/

* CVE JSON Record for CVE-2026-6873:
https://www.cve.org/CVERecord?id=CVE-2026-6873

* CVE JSON Record for CVE-2026-7666:
https://www.cve.org/CVERecord?id=CVE-2026-7666

* CVE JSON Record for CVE-2026-8404:
https://www.cve.org/CVERecord?id=CVE-2026-8404

* CVE JSON Record for CVE-2026-35193:
https://www.cve.org/CVERecord?id=CVE-2026-35193

* CVE JSON Record for CVE-2026-48587:
https://www.cve.org/CVERecord?id=CVE-2026-48587

In accordance with [our security release policy](
https://docs.djangoproject.com/en/dev/internals/security/),
the Django team is issuing releases for
[Django 6.0.6](https://docs.djangoproject.com/en/dev/releases/6.0.6/) and
[Django 5.2.15](https://docs.djangoproject.com/en/dev/releases/5.2.15/).
These releases address the security issues detailed below. We encourage all
users of Django to upgrade as soon as possible.

## CVE-2026-6873: Signed cookie salt namespace collision in
`django.http.HttpRequest.get_signed_cookie`

`get_signed_cookie()` derived the signing salt by concatenating the cookie
name (`key`) and `salt` arguments. When distinct name and salt pairs
produced the same concatenation, cookies could be accepted
in a context different from the one where they were signed.

Cookies are now signed with an unambiguous salt derivation. For backwards
compatibility, cookies signed by older Django versions are accepted until
Django 7.0.

This issue has severity "low" according to the [Django security policy](
https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels
).

Thanks to Peng Zhou for the report.

## CVE-2026-7666: Potential unencrypted email transmission via `STARTTLS`
in the SMTP backend

When using `EMAIL_USE_TLS`, a failed `STARTTLS` handshake could leave a
partially-initialized connection that would subsequently be reused for
sending email without encryption. This can occur with `fail_silently=True`,
as used by `send_mail()` and `BrokenLinkEmailsMiddleware`, among others.
Connections configured with `EMAIL_USE_SSL` are not affected.

This issue has severity "low" according to the [Django security policy](
https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels
).

Thanks to Kasper Dupont for the report.

## CVE-2026-8404: Potential exposure of private data via case-sensitive
`Cache-Control` directives in `UpdateCacheMiddleware`

`django.middleware.cache.UpdateCacheMiddleware` and
`django.views.decorators.cache.cache_page` decorator incorrectly cached
responses marked with private `Cache-Control` directives when using mixed
or uppercase values (e.g. `Private`).

The `django.views.decorators.cache.cache_control` decorator and
`django.utils.cache.patch_cache_control()` function were not affected,
since they normalize directives to lowercase. This issue only affects
responses where `Cache-Control` is set manually.

This issue has severity "low" according to the [Django security policy](
https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels
).

Thanks to Ahmed Badawe for the report.

## CVE-2026-35193: Potential exposure of private data via missing `Vary:
Authorization` in `UpdateCacheMiddleware`

`django.middleware.cache.UpdateCacheMiddleware` and
`django.views.decorators.cache.cache_page` decorator allowed responses to
requests bearing an `Authorization` header (and without `Cache-Control:
public`) to be cached. To conform with the existing mechanism for
constructing cache keys, responses to these requests will now vary on
`Authorization`.

This issue has severity "low" according to the [Django security policy](
https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels
).

Thanks to Shai Berger for the report.

## CVE-2026-48587: Potential exposure of private data via whitespace
padding in `Vary` header

`django.middleware.cache.UpdateCacheMiddleware` incorrectly cached
responses whose `Vary` header values contained leading or trailing
whitespace. Because `has_vary_header()` failed to strip that whitespace, a
response with a `Vary: * ` header (note the trailing space) was not
recognized as containing the wildcard, causing it to be stored and
potentially served from the cache when it should not have been.

This issue has severity "low" according to the [Django security policy](
https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels
).

Thanks to Navid Rezazadeh for the report.

## Affected supported versions

* Django main
* Django 6.1 (currently at alpha status)
* Django 6.0
* Django 5.2

## Resolution

Patches to resolve the issue have been applied to Django's
main, 6.1 (currently at alpha status), 6.0, and 5.2 branches.
The patches may be obtained from the following changesets.

### CVE-2026-6873: Signed cookie salt namespace collision in
`django.http.HttpRequest.get_signed_cookie`

* On the [main branch](
https://github.com/django/django/commit/70d36515b9cc71700105a14b275583070d48b689
)
* On the [6.1 branch](
https://github.com/django/django/commit/42bdfd74ff85eb9ddf8fd444e2359afd9add59c8
)
* On the [6.0 branch](
https://github.com/django/django/commit/c807d9c398022d23cb27518fa6ecaf343efb30cf
)
* On the [5.2 branch](
https://github.com/django/django/commit/594360cbf58be7f56eb6da96d58644297c99ef85
)

### CVE-2026-7666: Potential unencrypted email transmission via `STARTTLS`
in the SMTP backend

* On the [main branch](
https://github.com/django/django/commit/df887f50198593a0e5b4638bfddbbd43a30fd276
)
* On the [6.1 branch](
https://github.com/django/django/commit/afd82a544910dc79941a44af078bbc59e3e18f1c
)
* On the [6.0 branch](
https://github.com/django/django/commit/625a670c467aa3118c0f8ae1e0df14dbebb3bf68
)
* On the [5.2 branch](
https://github.com/django/django/commit/4e47d2b800435bcbfd1301ef3250b9c7fb8fa670
)

### CVE-2026-8404: Potential exposure of private data via case-sensitive
`Cache-Control` directives in `UpdateCacheMiddleware`

* On the [main branch](
https://github.com/django/django/commit/d618d7ae4fec727d5b582bd24f803c28d17bf7cd
)
* On the [6.1 branch](
https://github.com/django/django/commit/130467c8b4d05a69b885363aa7d47386e4f5d6a9
)
* On the [6.0 branch](
https://github.com/django/django/commit/b4330259ffbe1a031ed14daab1f35697460f10f2
)
* On the [5.2 branch](
https://github.com/django/django/commit/366d9ae6e8d1469c04e9ebdc1bcd098fc14a3b1e
)

### CVE-2026-35193: Potential exposure of private data via missing `Vary:
Authorization` in `UpdateCacheMiddleware`

* On the [main branch](
https://github.com/django/django/commit/a2faa8e895926ac5d63f72879b5ccf671b5b4ba9
)
* On the [6.1 branch](
https://github.com/django/django/commit/b7b23f4697850e232486d787df3459f19bd16dba
)
* On the [6.0 branch](
https://github.com/django/django/commit/664652f1a2dd80d8a4cd491b4313cad915ae6669
)
* On the [5.2 branch](
https://github.com/django/django/commit/050a3dc276f9142067260e990e4d8d42d5e32863
)

### CVE-2026-48587: Potential exposure of private data via whitespace
padding in `Vary` header

* On the [main branch](
https://github.com/django/django/commit/42aa0b3364d312e7c6472258d8b0e9c0277fbf22
)
* On the [6.1 branch](
https://github.com/django/django/commit/e06958dbfff789d6a72efb1d38c65b4b22b6690e
)
* On the [6.0 branch](
https://github.com/django/django/commit/1721035a72624aad7b38dd19b14013efd94b24b8
)
* On the [5.2 branch](
https://github.com/django/django/commit/9b62b0af71a14c657d19d95371630ba839e83d9a
)

## The following releases have been issued

* Django 6.0.6 ([tarball](
https://www.djangoproject.com/download/6.0.6/tarball/) | [checksums](
https://www.djangoproject.com/download/6.0.6/checksum/))
* Django 5.2.15 ([tarball](
https://www.djangoproject.com/download/5.2.15/tarball/) | [checksums](
https://www.djangoproject.com/download/5.2.15/checksum/))

The PGP key ID used for this release is Natalia Bidart: [2EE82A8D9470983E](
https://github.com/nessita.gpg)

## General notes regarding security reporting

As always, we ask that potential security issues be reported via private
email
to `security@...ngoproject.com`, and not via Django's Trac instance, nor via
the Django Forum. Please see
[our security policies](https://www.djangoproject.com/security/) for further
information.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.