Salt collision in Django HttpRequest.get_signed_cookie before 6.0.6/5.2.15: CVE-2026-6873 June 2026

Salt collision in Django HttpRequest.get_signed_cookie before 6.0.6/5.2.15
CVE-2026-6873 Published on June 3, 2026

Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.

Timeline

2026-03-27

Initial report received.

2026-05-12

Vulnerability confirmed. 46 days later.

2026-06-03

Security release issued. 22 days later.

Weakness Type

Improper Verification of Cryptographic Signature

The software does not verify, or incorrectly verifies, the cryptographic signature for data.

Products Associated with CVE-2026-6873

Want to know whenever a new CVE is published for Django Project Django? stack.watch will email you.

Affected Versions

Version 6.0 and below 6.0.6 is affected.

Version 6.0.6 is unaffected.

Version 5.2 and below 5.2.15 is affected.