Listen to this Post
The vulnerability exists in the `django.contrib.auth.handlers.modwsgi.check_password()` function used for authentication via the mod_wsgi interface. This function is responsible for verifying passwords during HTTP Basic authentication when Django is deployed with Apache mod_wsgi. The issue is a timing side-channel: the function’s execution time differs depending on whether the provided username corresponds to an existing user in the database. This occurs because the function retrieves the user record before performing password hashing and comparison. If the user does not exist, the function returns early, resulting in a shorter response time. An attacker can send numerous authentication requests with various usernames and precisely measure the server’s response times. Statistically significant longer response times indicate valid usernames, allowing remote attackers to enumerate registered users. This attack bypasses the intended security of the authentication flow, which should not reveal user existence. The vulnerability is specific to the mod_wsgi authentication handler and does not affect other Django authentication backends.
Platform: Django
Version: 6.0 5.2 4.2
Vulnerability: Timing user enumeration
Severity: Low
date: Feb 3 2026
Prediction: Patched Feb 2026
What Undercode Say:
Analytics
!/bin/bash
Simulate timing attack requests
for user in candidate_list.txt; do
time curl -s -o /dev/null -w “%{time_total}” http://target/django/path –basic -u “$user:wrongpass”
done
Python snippet to demonstrate vulnerable check_password logic
import time
def check_password(username, password):
Simulated database lookup
user = get_user(username) Returns None if not exist
if user is None:
return False Early return, faster
Time-consuming hash comparison
return slow_compare(user.hash, hash(password))
How Exploit:
Attacker sends crafted HTTP Basic Auth requests to mod_wsgi endpoint with different usernames. Using tools like ‘curl’ or custom scripts, they measure response times. Longer times confirm valid usernames, enabling enumeration for further attacks like password spraying.
Protection from this CVE:
Update Django to patched versions: 6.0.2, 5.2.11, or 4.2.28. Disable mod_wsgi auth handler if unused. Implement constant-time comparison functions for authentication logic.
Impact:
User enumeration leads to privacy breach, targeted attacks, and increased account compromise risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

