Bug 2484369 (CVE-2026-7666)

Summary: CVE-2026-7666 django: Django: Information disclosure via failed STARTTLS handshake in EmailBackend
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anthomas, brasmith, cmyers, cochase, dnakabaa, dranck, dschmidt, ehelms, erezende, ggainey, jlanda, jmitchel, juwatts, jwong, kaycoth, kshier, lcouzens, mhulan, nmoumoul, omaciel, osousa, pbohmill, pcreech, rchan, simaishi, smallamp, smcdonal, stcannon, teagle, tmalecek, ttakamiy, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Django. An on-path network attacker could exploit a vulnerability in `django.core.mail.backends.smtp.EmailBackend` where a partially-initialized connection is reused after a failed `STARTTLS` handshake when `fail_silently=True`. This could allow the attacker to intercept and read email content, leading to information disclosure.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-03 15:01:28 UTC 
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
`django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Kasper Dupont for reporting this issue.