Skip to main content

Django 6.0.6

Release Date: June 3, 2026

Five CVEs patched, one bug fixed — but before you rush to upgrade, let's talk about what actually affects your project. Django 6.0.6 landed on June 3 as a security release, and while the Django project rates all five issues as "low" severity, that rating deserves a second look.

The Cookie Collision You Didn't Know About (CVE-2026-6873)

Signed cookie salt namespace collision is the kind of vulnerability that sounds abstract until you realize someone could theoretically craft a cookie that bypasses your signing mechanism. In practice, this requires specific conditions — your app needs to be using signed cookies with a custom salt that happens to collide with Django's internal namespace. If you're using django.contrib.messages or django.contrib.sessions with cookie backends, you're in the affected window. The fix is straightforward (a salt namespace separation), but if you've built custom middleware that touches cookie signing, test carefully.

STARTTLS: The Encryption That Wasn't (CVE-2026-7666)

This one matters more than its "low" label suggests. Django's SMTP backend had a flaw where, after a failed STARTTLS negotiation, the connection could fall back to unencrypted transmission without raising an error. Your emails were supposed to be encrypted. Some of them weren't. If you're in a regulated industry (healthcare, finance, EU), this is not a low-severity issue — it's a compliance problem waiting to happen. The fix ensures that failed STARTTLS now properly raises an exception instead of silently downgrading.

The Vary Header Information Leak (CVE-2026-48587)

Here's a subtle one: Django's cache middleware uses the Vary header to determine cache keys. Due to a whitespace normalization bug, two requests with effectively different Vary values could be treated as the same cache entry, potentially leaking private data between users. This affects sites using UpdateCacheMiddleware or FetchFromCacheMiddleware with custom Vary headers. If you serve authenticated content behind a cache, this release is non-negotiable.

Also Fixed: One Admin UI Bug

Beyond the security patches, exactly one non-security bug was fixed: an alert message on the admin changelist with ModelAdmin.list_editable was referring to the "Run" button by its previous name. Minor, but it tells you something about the scope of this release — it's purely a security rollup, not a feature drop. If you were waiting for Django 6.0.6 to ship new functionality, keep waiting.

The Verdict

Should you upgrade? Yes — always, for security releases. But don't treat this as a routine patch. The STARTTLS fix (CVE-2026-7666) and the Vary header leak (CVE-2026-48587) deserve dedicated QA attention, especially if you run Django behind a CDN or in a compliance-sensitive environment. Run your test suite, review your cookie and cache usage, and deploy with the same caution you'd give any mid-cycle security release.

What is New?

By continuing to use the site, you agree to the use of cookies.