CVE-2026-6873
Received Received - Intake
Insecure Cookie Signing in Django Framework

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: Django Software Foundation

Description
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-03
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-6873
EUVD
EUVD-2026-34086
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
django django to 5.2.15 (exc)
django django to 6.0.6 (exc)
django django 5.0
django django 4.1
django django 3.2
django django 4.2
django django 5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Django's method `django.http.HttpRequest.get_signed_cookie()`. The issue arises because the salt used for signing cookies is derived by simply concatenating the cookie name and the salt argument. This non-injective salt derivation means that different pairs of cookie names and salts can produce the same concatenated value.

As a result, a remote attacker can exploit this to use a cookie in a different context than the one where it was originally signed, by finding distinct (name, salt) pairs that collide. This can lead to cookies being accepted in unintended contexts.


How can this vulnerability impact me? :

The impact of this vulnerability is that an attacker could reuse a signed cookie in a different context than intended, potentially bypassing some security checks that rely on cookie signing.

However, the severity of this issue is classified as low, indicating that while it may allow some misuse of cookies, it is unlikely to lead to severe compromise such as full account takeover or data breach by itself.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Django to a fixed version where the issue has been resolved.

  • Upgrade Django 6.0 to version 6.0.6 or later.
  • Upgrade Django 5.2 to version 5.2.15 or later.

Note that older unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x may also be affected and should be evaluated accordingly.

The vulnerability has been fixed by implementing an unambiguous salt derivation method in the get_signed_cookie function.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart