LOW 3.1

CVE-2026-7666: Django SMTP Email Backend STARTTLS Fallback Vulnerability

Django's email system has a vulnerability that can expose email content over the network under specific conditions. When Django is configured to silently ignore mail delivery errors (`fail_silently=True`) and a secure connection attempt fails, the system may reuse a partially-initialized connection that falls back to unencrypted communication. An attacker positioned on the network path between your application and the mail server could potentially read email content in transit. This requires multiple conditions to align: configuration settings, network positioning, and a failed STARTTLS handshake.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-319
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Django's SMTP email backend (`django.core.mail.backends.smtp.EmailBackend`). When STARTTLS negotiation fails with `fail_silently=True`, the backend may reuse a connection that has not been fully secured. Rather than properly terminating and requiring a new encrypted connection, the degraded connection can continue to be used for sending email, resulting in plaintext transmission. The issue affects Django 6.0 before 6.0.6 and 5.2 before 5.2.15. Earlier unsupported series (5.0.x, 4.1.x, 3.2.x) have not been fully evaluated but may contain the same flaw. The specific weakness is improper handling of failed TLS initialization (CWE-319).

Business impact

Organizations relying on Django to send sensitive emails—password resets, notifications, OTPs, account alerts—face potential exposure if those messages transit unencrypted. The impact is context-dependent: a healthcare provider or financial institution transmitting PII or account information would face compliance and reputational consequences. A public-facing web application sending transactional emails would have lower exposure. The vulnerability requires a network-level attacker, limiting the threat surface to organizations operating in untrusted network environments or those vulnerable to BGP hijacking, DNS poisoning, or compromised network infrastructure.

Affected systems

Django versions 6.0.0 through 6.0.5 and 5.2.0 through 5.2.14 are confirmed affected. Older unsupported branches (5.0.x, 4.1.x, 3.2.x) have not been formally evaluated by the Django project but may be vulnerable—organizations running these versions should verify their specific code path or upgrade. Any Django application that: (1) sends email via SMTP, (2) uses `fail_silently=True` in email backend configuration, and (3) operates in an environment where network interception is possible is at risk.

Exploitability

The CVSS score of 3.1 (LOW) reflects the barriers to successful exploitation. An attacker must be positioned on the network path (on-path requirement), must trigger a STARTTLS failure (high complexity), and benefits only from confidentiality loss (no integrity or availability impact). The attack is not remotely exploitable from arbitrary internet locations and requires either compromised network infrastructure or deployment in shared/untrusted networks. User interaction is noted in the vector, suggesting application-level configuration or deployment context matters. Overall, exploitation is technically feasible but operationally constrained.

Remediation

Upgrade to Django 6.0.6 or later (recommended) and Django 5.2.15 or later. For unsupported versions, verify the SMTP backend code and consider migrating to a supported release. Immediately audit Django applications with `fail_silently=True` in email configuration—this setting prioritizes availability over security and should be reviewed for each use case. Consider using `fail_silently=False` in production to surface connection failures, or implement retry logic with explicit error handling. Network-level mitigation: deploy applications and mail servers on trusted, encrypted networks (VPN, private cloud infrastructure) to reduce the attack surface.

Patch guidance

Verify your Django version: `python -c "import django; print(django.get_version())"`. For Django 6.0.x, upgrade to 6.0.6 or later. For Django 5.2.x, upgrade to 5.2.15 or later. Test the patch in a staging environment to confirm email delivery still functions correctly, particularly if you rely on error suppression. Organizations on unsupported versions should either upgrade to a supported release or apply the fix from the Django repository's backports if available—verify against the official Django security advisory for your specific version. Restart application servers after patching.

Detection guidance

Monitor email backend logs for STARTTLS failures and connection resets. Enable TLS certificate pinning or verification logging on mail servers to detect fallback to cleartext. Network detection: examine SMTP traffic on the wire for lack of STARTTLS capability advertisement or POST-STARTTLS plaintext transmission—if emails are traversing cleartext after a failed TLS handshake, the vulnerable code path is active. Application-level: audit Django settings for `fail_silently=True` in EMAIL_BACKEND configurations. If using third-party mail services or on-premises mail servers, verify TLS enforcement at both endpoints. Consider deploying email content encryption (PGP/S/MIME) as a defense-in-depth layer.

Why prioritize this

Prioritize this vulnerability for rapid triage rather than panic-level response. The LOW CVSS score and lack of KEV listing reflect reality: widespread exploitation is unlikely due to network positioning requirements. However, any application sending sensitive data via email should patch on the next scheduled maintenance window. Organizations operating in shared networks, cloud environments without network segmentation, or handling regulated data (healthcare, finance) should prioritize sooner. This is a supply-chain continuity issue—updating Django also addresses other concurrent fixes in those minor releases.

Risk score, explained

CVSS 3.1 (LOW) captures: Network-based attack only (AV:N), high complexity due to needing on-path position AND STARTTLS failure (AC:H), no privileges required (PR:N), user interaction required (UI:R—likely the application's mail configuration), integrity and availability unaffected (I:N/A:N), only confidentiality slightly impacted (C:L). The score appropriately reflects a narrow but real risk: attackers cannot remotely exploit this from the public internet, but motivated actors with network access can extract email content. It is not a critical flaw but deserves standard production patching discipline.

Frequently asked questions

Why does `fail_silently=True` matter for this vulnerability?

`fail_silently=True` tells Django to suppress mail delivery errors silently rather than raising exceptions. When STARTTLS fails with this setting, Django continues using the degraded connection instead of terminating it and forcing a new, properly-secured connection. With `fail_silently=False`, the exception would stop execution and prevent plaintext email transmission, but it also breaks application flow if mail is unavailable. This is a trade-off: silencing errors improves uptime but degrades security.

Can this vulnerability be exploited from the public internet?

No. The attacker must be positioned on the network path between your Django application and the mail server, or control infrastructure in that path (ISP, router, DNS, BGP). A random attacker on the internet cannot trigger this vulnerability directly. However, if your mail server is external and traffic routes over shared internet paths, an attacker could potentially intercept and monitor traffic.

Do I need to change my application code, or just update Django?

Updating Django to the patched version is the primary fix. However, you should audit your Django settings: if you use `fail_silently=True` in production for email, review whether it is truly necessary. Consider setting it to `False` with proper error handling, or use a dedicated error-monitoring service. Changing this setting does not require code rewrite—it is a configuration change.

Are unsupported Django versions (3.2, 4.1, 5.0) affected?

The Django project has not formally evaluated these out-of-support versions. The vulnerability exists in the SMTP backend code, which has remained largely unchanged across versions, so they are likely vulnerable. If you are running unsupported Django, the best path is to upgrade to a supported version (6.0.6+ or 5.2.15+). If that is not feasible, test your SMTP configuration thoroughly and consider network-level mitigations like VPN or email encryption.

This analysis is provided for informational purposes and reflects the vulnerability as understood from public disclosures and CVSS vector data current as of the published date. SEC.co does not provide legal advice. Organizations should verify patch availability and compatibility with their specific Django deployment through official Django security advisories before applying updates. The evaluation of unsupported Django versions is based on code similarity; organizations running out-of-support versions should conduct their own security assessment. Network exploitability depends on your specific infrastructure topology and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).