RepoJournal
Django

@django

Python's batteries-included web framework

Pick a date

The Wire · Showcase

DJANGO PATCHES PASSWORD HASHER REGRESSION THAT BROKE NON-UTF8 INPUTS

By RepoJournal · Filed · About Django

Django shipped a critical fix for a bug introduced in recent versions where PBKDF2 and MD5 password hashers reject valid passwords containing non-UTF-8 bytes, breaking authentication for legitimate use cases.

The regression stems from an unnecessary `force_str()` call in the PBKDF2 hasher that raised `UnicodeDecodeError` on perfectly valid password values [1]. The MD5 hasher had the same issue, fixed by removing the UTF-8 validity constraint and concatenating with `force_bytes()` instead [2]. If you're using either hasher with binary password data or non-ASCII input, this patch restores functionality that broke in 78fac1b0473. In related fixes, Django also prevented `FileBasedCache.touch()` from raising `ValueError` when called on expired keys [3], eliminating a silent crash when cache maintenance runs on stale entries. Documentation got a precision update distinguishing "plaintext" from "plain-text" in password hasher docs to clarify whether `make_password()` expects UTF-8 encoded text or raw password material [4].

Action items

References

  1. [1] Fixed #37184 -- Allowed non-UTF-8 bytes passwords in the PBKDF2 and MD5 password hashers. ↗ django/django
  2. [2] Fixed #37184 -- Allowed non-UTF-8 bytes passwords in the PBKDF2 and MD5 password hashers. django/django
  3. [3] Fixed #37191 -- Prevented ValueError in FileBasedCache.touch() for expired keys. django/django
  4. [4] Clarified "plaintext" vs. "plain-text" in password hashers docs. ↗ django/django

FAQ

What changed in Django on June 27, 2026?
Django shipped a critical fix for a bug introduced in recent versions where PBKDF2 and MD5 password hashers reject valid passwords containing non-UTF-8 bytes, breaking authentication for legitimate use cases.
What should Django teams do about it?
If using PBKDF2 or MD5 hashers with non-UTF8 passwords, pull the latest Django patch immediately • Test FileBasedCache.touch() calls in your caching logic after upgrading • Monitor for any authentication failures in production during this week's deployments
Which Django repositories shipped on June 27, 2026?
django/django

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.