CVE-2026-6907

Summary

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ('*'). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.

Affected Software

VendorProductVersion RangeStatus
djangoprojectDjango6.0 < 6.0.5affected
djangoprojectDjango6.0.5unaffected
djangoprojectDjango5.2 < 5.2.14affected
djangoprojectDjango5.2.14unaffected

Weaknesses

  • CWE-524: CWE-524: Use of Cache Containing Sensitive Information

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References