CVE-2019-19844

CRITICAL LAB

Django < 1.11.27, 2.x < 2.2.9, 3.x < 3.0.1 - Account Takeover via Unicode Case Transformation Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2019-19844. PoCs published by Ryuji Tsutsui, ryu22e, andripwn.

AI-analyzed exploit summary This PoC demonstrates an authentication bypass vulnerability in Django (CVE-2019-19844) by exploiting a Unicode case-folding issue in email validation. An attacker can reset the password of a legitimate user by providing a visually similar email address (e.g., using a Unicode character 'ı' instead of 'i').

Description

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Exploits (5)

exploitdb WORKING POC VERIFIED
by Ryuji Tsutsui · webappspython
https://www.exploit-db.com/exploits/47879

This PoC demonstrates an authentication bypass vulnerability in Django (CVE-2019-19844) by exploiting a Unicode case-folding issue in email validation. An attacker can reset the password of a legitimate user by providing a visually similar email address (e.g., using a Unicode character 'ı' instead of 'i').

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Django (versions affected: 2.2 before 2.2.9, 3.0 before 3.0.1)
No auth needed
Prerequisites: PostgreSQL database · Django application with password reset functionality · User account with known email
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 100 stars
by ryu22e · poc
https://github.com/ryu22e/django_cve_2019_19844_poc

This repository contains a functional proof-of-concept for CVE-2019-19844, a vulnerability in Django's password reset functionality that allows an attacker to bypass email validation by using visually similar Unicode characters (e.g., 'ı' instead of 'i'). The PoC demonstrates how an attacker can reset the password of a legitimate user by exploiting this flaw.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Django (versions affected by CVE-2019-19844)
No auth needed
Prerequisites: A Django application with password reset functionality enabled · Knowledge of a valid username
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 8 stars
by andripwn · poc
https://github.com/andripwn/django_cve201919844

This repository contains a functional proof-of-concept for CVE-2019-19844, demonstrating an authentication bypass vulnerability in Django's password reset functionality. The exploit leverages Unicode character spoofing (e.g., 'mı[email protected]' vs '[email protected]') to bypass email validation and reset passwords for arbitrary accounts.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Django (versions affected by CVE-2019-19844)
No auth needed
Prerequisites: Access to Django's password reset endpoint · Knowledge of a valid username
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 4 stars
by 0xsha · poc
https://github.com/0xsha/CVE_2019_19844

This repository contains a functional proof-of-concept for CVE-2019-19844, a vulnerability in Django's password reset functionality that allows for potential information disclosure or phishing via malformed Unicode characters in email addresses. The PoC demonstrates how a malformed email address (e.g., using a Unicode 'ı' instead of 'i') can bypass validation and potentially lead to security issues.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Django (versions affected by CVE-2019-19844)
No auth needed
Prerequisites: A Django application with password reset functionality enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WRITEUP 3 stars
by HxDDD · poc
https://github.com/HxDDD/CVE-PoC/tree/main/Django/(Password bypass) CVE-2019-19844.md

This repository provides a detailed technical analysis of CVE-2019-19844, a password bypass vulnerability in Django's password reset functionality. It explains the root cause, including case-insensitive email matching and incorrect email handling during password reset, and includes patch details.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Django 3.0
No auth needed
Prerequisites: Django 3.0 with password reset functionality enabled · Access to the password reset form
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4224-1/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4598
Mailing List mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Jan/9
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200110-0003/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202004-17

Scores

CVSS v3 9.8
EPSS 0.1542
EPSS Percentile 94.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
+1 more repos

Details

CWE
CWE-640
Status published
Products (7)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.04
canonical/ubuntu_linux 19.10
djangoproject/django 3.0
djangoproject/django < 1.11.27
pypi/Django 0 - 1.11.27PyPI
Published Dec 18, 2019
Tracked Since Feb 18, 2026