CVE-2026-7666
Received Received - Intake
STARTTLS Connection Reuse Flaw in Django Email Backend

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: Django Software Foundation

Description
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-03
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-7666
EUVD
EUVD-2026-34087
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
django django to 5.2.15 (exc)
django django to 6.0.6 (exc)
django django 5.0
django django 4.1
django django 3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Django versions 6.0 before 6.0.6 and 5.2 before 5.2.15 in the django.core.mail.backends.smtp.EmailBackend component. When the STARTTLS handshake fails and the fail_silently option is set to true, Django fails to prevent reuse of a partially-initialized SMTP connection. This flaw allows an on-path network attacker to intercept and read email content in cleartext.


How can this vulnerability impact me? :

The vulnerability can lead to exposure of email content to attackers who are positioned on the network path between the client and the mail server. Because the connection may be reused without proper security after a failed STARTTLS handshake, sensitive email data can be intercepted and read in cleartext, potentially compromising confidential information.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows on-path network attackers to read email content via cleartext interception due to the reuse of a partially-initialized SMTP connection after a failed STARTTLS handshake when fail_silently=True. Such exposure of email content could lead to unauthorized disclosure of sensitive information.

Exposure of sensitive email content in transit may impact compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and health information during transmission. Organizations using affected Django versions might face increased risk of non-compliance if this vulnerability is exploited.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Django to version 6.0.6 or later if you are using the 6.0 series, or to version 5.2.15 or later if you are using the 5.2 series.

Avoid using the `fail_silently=True` option with the `django.core.mail.backends.smtp.EmailBackend` until the patch is applied, as this setting allows reuse of a partially-initialized connection after a failed STARTTLS handshake.

Consider monitoring your network for cleartext email content transmissions that could indicate exploitation attempts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart