Django Web Framework Vulnerability Allowing Cookie Misuse
CVE-2026-6873

2.3LOW

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 June 2026

What is CVE-2026-6873?

A vulnerability in the Django framework allows for improper handling of signed cookies. The affected versions utilize a flawed salt derivation method, combining the cookie name with a salt argument in a non-injective manner. This could enable a remote attacker to manipulate signed cookies, allowing them to operate in contexts unintended by the application. Although the issue has been addressed in Django versions 6.0.6 and 5.2.15, earlier unsupported versions may also be susceptible. Users are encouraged to update their installations and review the security documentation for best practices.

Affected Version(s)

Django 6.0 < 6.0.6

Django 5.2 < 5.2.15

Django 6.0.6

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/security...
vendor-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peng Zhou
Paul McMillan
Natalia Bidart
.