CVE-2026-7666

Potential unencrypted email transmission via STARTTLS in the SMTP backend

Assigner: DSF
Reserved: 01.05.2026 Published: 03.06.2026 Updated: 03.06.2026

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when fail_silently=True, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score: 3.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	djangoproject
Product	Django
Versions	Default: unaffected affected from 6.0 to 6.0.6 (excl.) Version 6.0.6 is unaffected affected from 5.2 to 5.2.15 (excl.) Version 5.2.15 is unaffected

Vendor

djangoproject

Product

Django

Versions

Default: unaffected

affected from 6.0 to 6.0.6 (excl.)
Version 6.0.6 is unaffected
affected from 5.2 to 5.2.15 (excl.)
Version 5.2.15 is unaffected

Credits

Kasper Dupont reporter
Jake Howard remediation developer
Natalia Bidart coordinator

References

Problem Types

CWE-319: Cleartext Transmission of Sensitive Information CWE

Impacts

CAPEC-94: Adversary in the Middle (AiTM)