Potential unencrypted email transmission via STARTTLS in the SMTP backend

3.1 / 10

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Description

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
`django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kasper Dupont for reporting this issue.

Basic Information

ID CVE-2026-7666

Source DSF

Published Jun 3, 2026 at 13:16

Affected Product

Vendor djangoproject

Product Django

Version 6.0

Affected Versions djangoproject Django 6.0
djangoproject Django 5.2

CWE Classification

CWE-319

References

{
    "lastseen": "",
    "description": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kasper Dupont for reporting this issue.",
    "published": "2026-06-03T13:16:15.446Z",
    "modified": "2026-06-03T13:16:15.446Z",
    "type": "cve",
    "title": "Potential unencrypted email transmission via STARTTLS in the SMTP backend",
    "source": "DSF",
    "references": "https://docs.djangoproject.com/en/dev/releases/security/\nhttps://groups.google.com/g/django-announce\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/",
    "id": "CVE-2026-7666",
    "bulletinFamily": "",
    "cwe": [
        "CWE-319"
    ],
    "cvelist": null,
    "sourceData": "djangoproject Django 6.0\ndjangoproject Django 5.2",
    "sourceHref": "",
    "cvss": {
        "score": 3.1,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Django",
    "version": "6.0",
    "vendor": "djangoproject",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Potential unencrypted email transmission via STARTTLS in the SMTP backend_CVE-2026-7666