Description
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16.
`DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because `HttpResponse` prohibits newlines in HTTP headers.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Bence Nagy for reporting this issue.
Published: 2026-07-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the DomainNameValidator, which allows newline characters to pass through when domain names are supplied programmatically. If an application subsequently places the unfiltered value into an HTTP response header, the newlines can split the header, leading to HTTP response splitting or injection. This vulnerability is a form of header injection that can subvert request/response integrity and possibly redirect users or expose confidential information, as the HTTP response can be manipulated by an attacker.

Affected Systems

The flaw affects Django releases 6.0 through 6.0.6 and 5.2 through 5.2.15. Versions before 6.0 and 5.2 are untested but may also be vulnerable. Applications using Django 5.0.x, 4.1.x, or 3.2.x are not evaluated and residual risks remain if similar code paths exist.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the medium severity range. Exploitation requires the attacker to control or influence the domain name value that the application will insert into HTTP headers. The attack vector is therefore application‑side, not directly network remote; the EPSS score is < 1%, so the precise likelihood of exploitation is very low. Django itself is not affected because its HttpResponse class filters newlines from headers, but custom usage bypassing the framework’s sanitization exposes the risk.

Generated by OpenCVE AI on July 8, 2026 at 16:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to 6.0.7 or later, or to 5.2.16 or later, to receive the fix that rejects newlines in DomainNameValidator
  • Validate or sanitize any domain name inputs in application code to reject or encode newline characters before using them in headers
  • If upgrade is not immediately possible, ensure that domain values from untrusted sources are never inserted into any HTTP header fields; use safe response APIs that disallow newlines or perform explicit newline stripping before header construction

Generated by OpenCVE AI on July 8, 2026 at 16:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Tue, 07 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 07 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because `HttpResponse` prohibits newlines in HTTP headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue.
Title Header injection possibility since DomainNameValidator accepted newlines in input
Weaknesses CWE-144
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-07-07T14:58:18.415Z

Reserved: 2026-06-11T01:11:27.546Z

Link: CVE-2026-53878

cve-icon Vulnrichment

Updated: 2026-07-07T14:58:15.123Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T16:15:04Z

Weaknesses
  • CWE-144

    Improper Neutralization of Line Delimiters