CVE-2026-53878
Received Received - Intake

HTTP Header Injection via DomainNameValidator in Django

Vulnerability report for CVE-2026-53878, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Django Software Foundation

Description

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because `HttpResponse` prohibits newlines in HTTP headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
django django to 5.2.16 (exc)
django django to 6.0.7 (exc)
django django 5.0
django django 4.1
django django 3.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-144 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade Django to version 6.0.7 or later if you are using the 6.0 series, or to version 5.2.16 or later if you are using the 5.2 series.

Ensure that any user input that may be used in HTTP response headers is properly sanitized to prevent newlines in domain names, especially if not using Django form fields which strip newlines automatically.

Executive Summary

This vulnerability exists in Django versions 6.0 before 6.0.7 and 5.2 before 5.2.16. The issue is that the DomainNameValidator does not prohibit newlines in domain names unless the domain name is used via a form field, where CharField strips newlines. If an application uses domain name values containing newlines in an HTTP response, it can lead to HTTP header injection.

Django itself is not affected because its HttpResponse component prohibits newlines in HTTP headers, preventing exploitation within Django's own responses. However, applications using the validator improperly may be vulnerable.

Impact Analysis

If an application accepts domain names with newlines and uses these values in HTTP responses without proper sanitization, an attacker could perform HTTP header injection. This can allow attackers to manipulate HTTP headers, potentially leading to security issues such as response splitting, cache poisoning, or cross-site scripting (XSS).

Compliance Impact

The vulnerability allows HTTP response header injection if an application uses values with newlines in domain names, which could potentially lead to security issues such as response splitting or injection attacks.

Such security weaknesses may impact compliance with standards like GDPR or HIPAA, which require protection of data integrity and confidentiality, because exploitation could lead to unauthorized manipulation of HTTP headers and potentially compromise user data or session integrity.

However, Django itself is not affected because its HttpResponse component prohibits newlines in HTTP headers, reducing the risk at the framework level.

The actual impact on compliance depends on how individual applications use the vulnerable DomainNameValidator and handle user input in HTTP responses.

Detection Guidance

This vulnerability involves the DomainNameValidator in Django allowing newlines in domain names, which can lead to HTTP header injection if those values are used in HTTP responses.

Detection would involve checking if your Django application is using vulnerable versions (6.0 before 6.0.7 or 5.2 before 5.2.16) and whether any user input containing newlines is being passed into HTTP headers or domain name validations.

Since Django itself prohibits newlines in HTTP headers via HttpResponse, the risk is mainly in custom code or forms that do not strip newlines.

To detect potential exploitation or presence of this vulnerability on your system, you can:

  • Check the Django version installed: `python -m django --version`
  • Search your codebase for usage of DomainNameValidator or custom domain validation that might allow newlines.
  • Monitor HTTP responses for suspicious header injection attempts, such as headers containing newline characters (`\n` or `\r`).
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP traffic and filter for suspicious headers containing newline characters.
  • Example command to check HTTP headers for newlines in captured traffic: `tcpdump -A -s 0 'tcp port 80' | grep -P '\r|\n'` (adjust for your environment).
  • Review application logs for any unusual input containing newline characters in domain name fields.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53878. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart