CVE-2026-6873 PUBLISHED

Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie

Assigner: DSF
Reserved: 22.04.2026 Published: 03.06.2026 Updated: 03.06.2026

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.get_signed_cookie in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct (name, salt) pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.3

Product Status

Vendor djangoproject
Product Django
Versions Default: unaffected
  • affected from 6.0 to 6.0.6 (excl.)
  • Version 6.0.6 is unaffected
  • affected from 5.2 to 5.2.15 (excl.)
  • Version 5.2.15 is unaffected

Credits

  • Peng Zhou reporter
  • Paul McMillan remediation developer
  • Natalia Bidart coordinator

References

Problem Types

  • CWE-347: Improper Verification of Cryptographic Signature CWE

Impacts

  • CAPEC-475: Signature Spoofing by Improper Validation