Bug 2497329 (CVE-2026-53878) - CVE-2026-53878 django: Django: HTTP header injection via DomainNameValidator accepting newlines
Summary: CVE-2026-53878 django: Django: HTTP header injection via DomainNameValidator ...
Keywords:
Status: NEW
Alias: CVE-2026-53878
Deadline: 2026-07-07
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-06 11:44 UTC by OSIDB Bzimport
Modified: 2026-07-10 14:23 UTC (History)
32 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)
0003-5.2.x-Fixed-CVE-2026-53878-Prevented-newlines-from-b.patch (4.02 KB, patch)
2026-07-06 12:12 UTC, Yadnyawalk Tale
no flags Details | Diff
0003-6.0.x-Fixed-CVE-2026-53878-Prevented-newlines-from-b.patch (5.11 KB, patch)
2026-07-06 12:12 UTC, Yadnyawalk Tale
no flags Details | Diff
0003-6.1.x-Fixed-CVE-2026-53878-Prevented-newlines-from-b.patch (5.11 KB, patch)
2026-07-06 12:12 UTC, Yadnyawalk Tale
no flags Details | Diff
0003-Fixed-CVE-2026-53878-Prevented-newlines-from-being-a.patch (5.10 KB, patch)
2026-07-06 12:12 UTC, Yadnyawalk Tale
no flags Details | Diff

Description OSIDB Bzimport 2026-07-06 11:44:51 UTC
A flaw was found in Django. django.core.validators.DomainNameValidator accepted newline characters in domain names. If validated values are placed directly into HTTP response headers outside Django's form handling, a remote attacker could inject additional headers.

Comment 2 Yadnyawalk Tale 2026-07-06 12:12:00 UTC
Created attachment 2147816 [details]
0003-5.2.x-Fixed-CVE-2026-53878-Prevented-newlines-from-b.patch

Comment 3 Yadnyawalk Tale 2026-07-06 12:12:03 UTC
Created attachment 2147817 [details]
0003-6.0.x-Fixed-CVE-2026-53878-Prevented-newlines-from-b.patch

Comment 4 Yadnyawalk Tale 2026-07-06 12:12:06 UTC
Created attachment 2147818 [details]
0003-6.1.x-Fixed-CVE-2026-53878-Prevented-newlines-from-b.patch

Comment 5 Yadnyawalk Tale 2026-07-06 12:12:08 UTC
Created attachment 2147819 [details]
0003-Fixed-CVE-2026-53878-Prevented-newlines-from-being-a.patch


Note You need to log in before you can comment on or make changes to this bug.