CVE-2026-6873 - Vulnerability Details

- Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie

Description

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
`django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Peng Zhou for reporting this issue.

Published: 2026-06-03

Score: 2.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from Django's get_signed_cookie method, which derives a signing key by concatenating the cookie name and a provided salt. This concatenation is not injective, allowing two distinct (name, salt) pairs that produce the same combined key, exposing an Insecure Key Derivation flaw (CWE-303) and a misuse of cookie names (CWE-347). Consequently, an attacker can use a cookie that was signed for one name in a different context where a different (name, salt) pair produces the same key, effectively bypassing the intended isolation between cookies.

Affected Systems

Django versions 6.0 up to 6.0.5 and 5.2 up to 5.2.14 are vulnerable. The affected series include Django 6.0 and 5.2. Unverified older series such as 5.0.x, 4.1.x, and 3.2.x may also be impacted, but have not been evaluated by Django and therefore may remain vulnerable.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, highlighting modest impact when the flaw is exploited. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network‑based request where the attacker injects a crafted signed cookie into an HTTP request; this inference is based on the fact that the flaw involves signed cookie handling in django.http.HttpRequest.get_signed_cookie.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

djangoproject

Django

unaffected

Version	Status	Constraints
`6.0`	affected	< 6.0.6
`6.0.6`	unaffected	—
`5.2`	affected	< 5.2.15
`5.2.15`	unaffected	—

No data.

Vendor Product Confidence Versions

Djangoproject

Django

100%

Version	Status	Scheme	Platform
`[6.0,6.0.6)`	affected	generic	—
`6.0.6`	unaffected	semver	—
`[5.2,5.2.15)`	affected	generic	—
`5.2.15`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Django 6.0.6 or newer, or Django 5.2.15 or newer to receive the fix.
If running an older unsupported series (e.g., 5.0.x, 4.1.x, 3.2.x), plan to upgrade to a supported release with the patch, or apply a temporary manual review of signed cookie usage.
Review application code that calls django.http.HttpRequest.get_signed_cookie and enforce that each cookie name uses a unique salt, avoiding reuse across different contexts until an official patch is applied.

Generated by OpenCVE AI on June 4, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://nvd.nist.gov/vuln/detail/CVE-2026-6873
https://www.cve.org/CVERecord?id=CVE-2026-6873
https://www.djangoproject.com/weblog/2026/jun/03/security-releases/

History

Thu, 04 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-303
References		https://nvd.nist.gov/vuln/detail/CVE-2026-6873 https://www.cve.org/CVERecord?id=CVE-2026-6873
Metrics	threat_severity `None`	threat_severity `Low`

Wed, 03 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Djangoproject Djangoproject django
Vendors & Products		Djangoproject Djangoproject django

Wed, 03 Jun 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.
Title		Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
Weaknesses		CWE-347
References		https://docs.djangoproject.com/en/dev/releases/security/ https://groups.google.com/g/django-announce https://www.djangoproject.com/weblog/2026/jun/03/security-releases/
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}` cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Djangoproject Django

MITRE

Status: PUBLISHED

Assigner: DSF

Published: 2026-06-03T13:16:03.924Z

Updated: 2026-06-03T15:43:58.829Z

Reserved: 2026-04-22T18:12:39.603Z

Link: CVE-2026-6873

Vulnrichment

Updated: 2026-06-03T15:43:56.065Z

NVD

Status : Undergoing Analysis

Published: 2026-06-03T14:16:46.483

Modified: 2026-06-04T15:21:14.080

Link: CVE-2026-6873

Redhat

Severity : Low

Publid Date: 2026-06-03T13:16:03Z

Links: CVE-2026-6873 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-04T01:45:46Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object