Bug 2484373 (CVE-2026-6873)

Summary: CVE-2026-6873 python-django: Django: Information disclosure via non-injective cookie salt derivation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anthomas, brasmith, cmyers, cochase, dnakabaa, dranck, dschmidt, ehelms, erezende, ggainey, jlanda, jmitchel, juwatts, jwong, kaycoth, kshier, lcouzens, mhulan, nmoumoul, omaciel, osousa, pbohmill, pcreech, rchan, simaishi, smallamp, smcdonal, stcannon, teagle, tmalecek, ttakamiy, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Django. A remote attacker could exploit a non-injective salt derivation in `django.http.HttpRequest.get_signed_cookie` by crafting specific cookie name and salt argument pairs. This vulnerability allows the attacker to use a signed cookie in a different context than intended, potentially leading to information disclosure.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-03 15:01:55 UTC
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
`django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Peng Zhou for reporting this issue.