Potential unencrypted email transmission via STARTTLS in the SMTP backend
CVE-2026-7666

2.3LOW

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 June 2026

What is CVE-2026-7666?

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when fail_silently=True, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.

Affected Version(s)

Django 6.0 < 6.0.6

Django 5.2 < 5.2.15

Django 6.0.6

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/security...
vendor-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kasper Dupont
Jake Howard
Natalia Bidart
.