CVE-2026-7666
Analyzed Analyzed - Analysis Complete
STARTTLS Connection Reuse Flaw in Django Email Backend

Publication date: 2026-06-03

Last updated on: 2026-06-05

Assigner: Django Software Foundation

Description
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-05
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-7666
EUVD
EUVD-2026-34087
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
djangoproject django From 5.2 (inc) to 5.2.15 (exc)
djangoproject django From 6.0 (inc) to 6.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Django to version 6.0.6 or later if you are using the 6.0 series, or to version 5.2.15 or later if you are using the 5.2 series.

Avoid using the `fail_silently=True` option with the `django.core.mail.backends.smtp.EmailBackend` until the patch is applied, as this setting allows reuse of a partially-initialized connection after a failed STARTTLS handshake.

Consider monitoring your network for cleartext email content transmissions that could indicate exploitation attempts.

Executive Summary

This vulnerability exists in Django versions 6.0 before 6.0.6 and 5.2 before 5.2.15 in the django.core.mail.backends.smtp.EmailBackend component. When the STARTTLS handshake fails and the fail_silently option is set to true, Django fails to prevent reuse of a partially-initialized SMTP connection. This flaw allows an on-path network attacker to intercept and read email content in cleartext.

Impact Analysis

The vulnerability can lead to exposure of email content to attackers who are positioned on the network path between the client and the mail server. Because the connection may be reused without proper security after a failed STARTTLS handshake, sensitive email data can be intercepted and read in cleartext, potentially compromising confidential information.

Compliance Impact

This vulnerability allows on-path network attackers to read email content via cleartext interception due to the reuse of a partially-initialized SMTP connection after a failed STARTTLS handshake when fail_silently=True. Such exposure of email content could lead to unauthorized disclosure of sensitive information.

Exposure of sensitive email content in transit may impact compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and health information during transmission. Organizations using affected Django versions might face increased risk of non-compliance if this vulnerability is exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart