Description
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
`django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kasper Dupont for reporting this issue.
Published: 2026-06-03
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is found in django.core.mail.backends.smtp.EmailBackend, which allows a partially‑initialized SMTP connection to be reused after a failed STARTTLS handshake when fail_silently=True. This means an on‑path attacker can read email content in cleartext, violating confidentiality. The weakness is a cleartext transmission of sensitive information (CWE‑319).

Affected Systems

Django 6.0 versions earlier than 6.0.6 and Django 5.2 versions earlier than 5.2.15 may be affected. Earlier Django series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated but could also potentially be vulnerable.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity impact. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker would need on‑path network access and the ability to observe or influence a failed STARTTLS handshake; the exploit would allow eavesdropping but does not provide code execution or broader system compromise. The overall risk is moderate for confidentiality but low for overall system compromise.

Generated by OpenCVE AI on June 3, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to version 6.0.6 or newer, or 5.2.15 or newer, which contain the fix.
  • Configure the SMTP email backend to set fail_silently to False so that a failed STARTTLS handshake does not result in a reused cleartext connection.
  • Ensure the application and SMTP server enforce TLS (e.g., EMAIL_USE_TLS and EMAIL_USE_SSL) and limit SMTP traffic to trusted networks to reduce the opportunity for on‑path interception.

Generated by OpenCVE AI on June 3, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.
Title Potential unencrypted email transmission via STARTTLS in the SMTP backend
Weaknesses CWE-319
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-06-03T15:43:34.012Z

Reserved: 2026-05-01T19:59:31.353Z

Link: CVE-2026-7666

cve-icon Vulnrichment

Updated: 2026-06-03T15:43:30.919Z

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:47.087

Modified: 2026-06-03T14:16:47.087

Link: CVE-2026-7666

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T15:45:36Z

Weaknesses