CVE-2026-6873 Overview
CVE-2026-6873 is a cryptographic weakness in the Django web framework affecting django.http.HttpRequest.get_signed_cookie. The function derives its signing salt by concatenating the cookie name and the salt argument without a separator. This non-injective derivation allows distinct (name, salt) pairs to produce identical salt strings. A remote attacker holding a signed cookie can reuse it in a different cookie context where the framework treats the signature as valid. The flaw is tracked under CWE-347: Improper Verification of Cryptographic Signature. Django credits Peng Zhou for reporting the issue.
Critical Impact
A signed cookie issued for one (name, salt) context can be replayed in a different context that shares the same concatenated derivation, undermining the integrity guarantees of get_signed_cookie.
Affected Products
- Django 6.0 before 6.0.6
- Django 5.2 before 5.2.15
- Earlier unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated and may also be affected
Discovery Timeline
- Vulnerability reported to Django by Peng Zhou
- 2026-06-03 - CVE-2026-6873 published to NVD
- 2026-06-03 - Django security releases published per the Django Weblog Security Releases
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-6873
Vulnerability Analysis
Django's get_signed_cookie method validates cookie integrity using django.core.signing, which mixes a salt value into the HMAC key derivation. The current implementation builds the effective salt by concatenating the cookie name with the caller-supplied salt argument. Because concatenation lacks a delimiter, the mapping from (name, salt) to the effective salt is non-injective.
An attacker who can obtain or influence a signed cookie in one context can present that cookie in a different context whose (name, salt) pair produces the same concatenated string. The signature still validates, so the application accepts the cookie value as authentic in a context the developer did not intend. The impact is bounded by what data developers protect with get_signed_cookie and by the attacker's ability to obtain valid signed values, which is why the issue is rated low severity.
Root Cause
The root cause is an [CWE-347] signature verification weakness driven by non-injective key derivation. Treating name + salt as a unique identifier collapses pairs such as (ab, cd) and (a, bcd) into the same derived salt, so any cookie signed under one pair verifies under the other.
Attack Vector
Exploitation requires network access and an authenticated context where the attacker can obtain a valid signed cookie issued by the target application. The attacker then submits that cookie under a different (name, salt) configuration that yields the same concatenated salt. No user interaction is required beyond normal HTTP traffic. Refer to the Django Security Release Notes for vendor-supplied detail.
Detection Methods for CVE-2026-6873
Indicators of Compromise
- Application logs showing get_signed_cookie validations succeeding for cookies whose name does not match the original issuance path.
- Unexpected acceptance of signed cookie values across views or subsystems that use overlapping (name, salt) pairs.
- Requests carrying signed cookies whose decoded payload is inconsistent with the handler's expected schema.
Detection Strategies
- Inventory all calls to get_signed_cookie and set_signed_cookie and identify any (name, salt) pairs whose concatenations collide.
- Add server-side logging that records the cookie name, salt argument, and decoded payload type for each signed-cookie verification.
- Review middleware and view code for reuse of signed cookies across multiple security contexts.
Monitoring Recommendations
- Alert on signed cookie verifications that occur outside their originating view or namespace.
- Track Django version inventory across all deployed services to confirm patched releases are in use.
- Correlate authentication and session anomalies with cookie-handling code paths to spot cross-context reuse.
How to Mitigate CVE-2026-6873
Immediate Actions Required
- Upgrade Django to 6.0.6 or 5.2.15, as listed in the Django Weblog Security Releases.
- Audit applications for get_signed_cookie and set_signed_cookie usages that share overlapping (name, salt) concatenations.
- For unsupported Django series (5.0.x, 4.1.x, 3.2.x), plan migration to a supported, patched release.
Patch Information
Django has released fixed versions 6.0.6 and 5.2.15. Patch notes and downloads are referenced in the Django Security Release Notes and announced through the Django Announcement Group.
Workarounds
- Choose name and salt values such that the concatenation name + salt is unique across the application.
- Use a separator character within the salt argument that cannot appear in cookie names to enforce injectivity until patches are applied.
- Avoid passing user-controlled values into the salt argument of get_signed_cookie.
# Upgrade Django to a patched release
pip install --upgrade "Django>=6.0.6,<6.1"
# or for the 5.2 LTS line
pip install --upgrade "Django>=5.2.15,<5.3"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
