CVE-2019-19844: Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing ...

Description

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

34.81%

98.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-640

Affected Software

Vendor	Product	Versions
Djangoproject	Django	< 1.11.27
Djangoproject	Django	>= 2.2, < 2.2.9
Djangoproject	Django	3.0
Canonical	Ubuntu Linux	16.04
Canonical	Ubuntu Linux	18.04
Canonical	Ubuntu Linux	19.04
Canonical	Ubuntu Linux	19.10

References

Timeline

Published: Dec 18, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-19844?

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

How severe is CVE-2019-19844?

CVE-2019-19844 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 34.81% probability of exploitation in the next 30 days.

How do I fix CVE-2019-19844?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.