Email Backend Vulnerability in Django by Django Software Foundation
CVE-2026-7666

2.3LOW

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 June 2026

What is CVE-2026-7666?

A vulnerability exists in the Email Backend of Django applications pre-6.0.6 and pre-5.2.15 that allows attackers to intercept email content. The issue arises from the reuse of a partially-initialized connection following a failed STARTTLS handshake when 'fail_silently=True' is set. Consequently, this may expose sensitive email data to on-path network attackers. Prior versions of Django, specifically the unsupported series (5.0.x, 4.1.x, and 3.2.x), may also be vulnerable, although they have not been formally evaluated.

Affected Version(s)

Django 6.0 < 6.0.6

Django 5.2 < 5.2.15

Django 6.0.6

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/security...
vendor-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kasper Dupont
Jake Howard
Natalia Bidart
.