CVE-2026-6873
Analyzed Analyzed - Analysis Complete
Insecure Cookie Signing in Django Framework

Publication date: 2026-06-03

Last updated on: 2026-06-05

Assigner: Django Software Foundation

Description
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-05
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-6873
EUVD
EUVD-2026-34086
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
djangoproject django From 5.2 (inc) to 5.2.15 (exc)
djangoproject django From 6.0 (inc) to 6.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Django's method `django.http.HttpRequest.get_signed_cookie()`. The issue arises because the salt used for signing cookies is derived by simply concatenating the cookie name and the salt argument. This non-injective salt derivation means that different pairs of cookie names and salts can produce the same concatenated value.

As a result, a remote attacker can exploit this to use a cookie in a different context than the one where it was originally signed, by finding distinct (name, salt) pairs that collide. This can lead to cookies being accepted in unintended contexts.

Impact Analysis

The impact of this vulnerability is that an attacker could reuse a signed cookie in a different context than intended, potentially bypassing some security checks that rely on cookie signing.

However, the severity of this issue is classified as low, indicating that while it may allow some misuse of cookies, it is unlikely to lead to severe compromise such as full account takeover or data breach by itself.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Django to a fixed version where the issue has been resolved.

  • Upgrade Django 6.0 to version 6.0.6 or later.
  • Upgrade Django 5.2 to version 5.2.15 or later.

Note that older unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x may also be affected and should be evaluated accordingly.

The vulnerability has been fixed by implementing an unambiguous salt derivation method in the get_signed_cookie function.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart