Copyright © 2012 Red Hat, Inc. All rights reserved. Low 2026-06-03T13:16:15 django: Django: Information disclosure via failed STARTTLS handshake in EmailBackend 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CWE-325

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.

A flaw was found in Django. An on-path network attacker could exploit a vulnerability in `django.core.mail.backends.smtp.EmailBackend` where a partially-initialized connection is reused after a failed `STARTTLS` handshake when `fail_silently=True`. This could allow the attacker to intercept and read email content, leading to information disclosure.

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-24/lightspeed-rhel8 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-25/lightspeed-rhel8 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/controller-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/eda-controller-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/gateway-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/hub-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/lightspeed-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-27/aap-cloud-billing-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-27/controller-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-27/eda-controller-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-27/gateway-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-27/hub-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-27/lightspeed-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-27/metrics-service-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform/automation-dashboard-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-tech-preview/metrics-service-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred automation-controller Red Hat Discovery 2 Fix deferred discovery/discovery-server-rhel9 Red Hat Satellite 6 Fix deferred satellite/iop-advisor-backend-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-7666 https://nvd.nist.gov/vuln/detail/CVE-2026-7666 https://docs.djangoproject.com/en/dev/releases/security/ https://groups.google.com/g/django-announce https://www.djangoproject.com/weblog/2026/jun/03/security-releases/