CVE-2026-35192
published 2026-05-05CVE-2026-35192: An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but…
PriorityP336medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.54%
41.5th percentile
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Cantina for reporting this issue.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-24 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-25 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | eda-controller-rhel9 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| ansible-automation-platform-26 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | aap-cloud-billing-rhel9 | — | — |
| ansible-automation-platform-27 | controller-rhel9 | — | — |
| ansible-automation-platform-27 | eda-controller-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | hub-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | metrics-service-rhel9 | — | — |
| ansible-automation-platform-tech-preview | metrics-service-rhel9 | — | — |
| ansible-automation-platform | automation-dashboard-rhel9 | — | — |
| debian | python-django | — | — |
| discovery | discovery-server-rhel9 | — | — |
| djangoproject | django | >= 5.2 < 5.2.14 | 5.2.14 |
| djangoproject | django | >= 5.2 < 5.2.14 | 5.2.14 |
| djangoproject | django | >= 6.0 < 6.0.5 | 6.0.5 |
| djangoproject | django | >= 6.0 < 6.0.5 | 6.0.5 |
| satellite-capsule_el8 | python-django | — | — |
| satellite | iop-advisor-backend-rhel9 | — | — |
| satellite_el8 | python-django | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat2.3LOW
vendor_ubuntu2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
djangoproject Django up to 5.2.13/6.0.4 Response Header persistent cookies containing sensitive information
vuldb·2026-05-05·CVSS 2.3
CVE-2026-35192 [LOW] djangoproject Django up to 5.2.13/6.0.4 Response Header persistent cookies containing sensitive information
A vulnerability has been found in djangoproject Django up to 5.2.13/6.0.4 and classified as problematic. Affected by this issue is some unknown functionality of the component Response Header Handler. The manipulation leads to use of persistent cookies containing sensitive information.
This vulnerability is referenced as CVE-2026-35192. Remote exploitation of the attack is possible. No exploit is available.
The affected component should be upgraded.
GHSA
Django Uses Persistent Cookies Containing Sensitive Information
ghsa·2026-05-05
CVE-2026-35192 [LOW] CWE-539 Django Uses Persistent Cookies Containing Sensitive Information
Django Uses Persistent Cookies Containing Sensitive Information
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django thanks Cantina for reporting this issue.
GHSA
GHSA-7h2m-m8vj-598h: An issue was discovered in 6
ghsa_unreviewed·2026-05-05
CVE-2026-35192 [LOW] CWE-539 GHSA-7h2m-m8vj-598h: An issue was discovered in 6
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Cantina for reporting this issue.
Red Hat
Django: Django: Session theft due to improper cookie handling with cached pages
vendor_redhat·2026-05-05·CVSS 2.3
CVE-2026-35192 [LOW] CWE-488 Django: Django: Session theft due to improper cookie handling with cached pages
Django: Django: Session theft due to improper cookie handling with cached pages
A flaw was found in Django. When the `SESSION_SAVE_EVERY_REQUEST` setting is enabled, response headers do not properly vary on cookies for unmodified sessions. This vulnerability allows a remote attacker to steal a user's session after the user visits a cached public page, leading to unauthorized access to their account.
Package: ansible-automation-platform-24/lightspeed-rhel8 (Red Hat Ansible Automation Platform 2) - Fix deferred
Package: ansible-automation-platform-25/lightspeed-rhel8 (Red Hat Ansible Automation Platform 2) - Fix deferred
Package: ansible-automation-platform-26/controller-rhel9 (Red Hat Ansible Automation Platform 2) - Fix deferred
Package: ansible-automation-platform-26/eda-controller-r
Ubuntu
Django vulnerabilities
vendor_ubuntu·2026-05-05·CVSS 2.3
CVE-2026-6907 [LOW] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django did not vary cached response headers on
cookies when sessions were not modified while SESSION_SAVE_EVERY_REQUEST
was enabled. A remote attacker could possibly use this issue to steal a
user's session. (CVE-2026-35192)
Kyle Agronick and Jacob Walls discovered that Django incorrectly handled
ASGI requests with missing or understated Content-Length header values.
A remote attacker could possibly use this issue to cause Django to use
excessive resources, leading to a denial of service. (CVE-2026-5766)
Ahmad Sadeddin discovered that Django UpdateCacheMiddleware incorrectly
cached requests where the Vary header contained an asterisk. A remote
attacker could possibly use this iss
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-35192 python-django4.2: Django: Session theft due to improper cookie handling with cached pages [epel-all]
bugzilla·2026-06-04·CVSS 2.3
CVE-2026-35192 [LOW] CVE-2026-35192 python-django4.2: Django: Session theft due to improper cookie handling with cached pages [epel-all]
CVE-2026-35192 python-django4.2: Django: Session theft due to improper cookie handling with cached pages [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-35192 python-django5: Django: Session theft due to improper cookie handling with cached pages [fedora-all]
bugzilla·2026-06-04·CVSS 2.3
CVE-2026-35192 [LOW] CVE-2026-35192 python-django5: Django: Session theft due to improper cookie handling with cached pages [fedora-all]
CVE-2026-35192 python-django5: Django: Session theft due to improper cookie handling with cached pages [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-35192 python-django3: Django: Session theft due to improper cookie handling with cached pages [epel-all]
bugzilla·2026-06-04·CVSS 2.3
CVE-2026-35192 [LOW] CVE-2026-35192 python-django3: Django: Session theft due to improper cookie handling with cached pages [epel-all]
CVE-2026-35192 python-django3: Django: Session theft due to improper cookie handling with cached pages [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-35192 python-django6: Django: Session theft due to improper cookie handling with cached pages [fedora-all]
bugzilla·2026-06-04·CVSS 2.3
CVE-2026-35192 [LOW] CVE-2026-35192 python-django6: Django: Session theft due to improper cookie handling with cached pages [fedora-all]
CVE-2026-35192 python-django6: Django: Session theft due to improper cookie handling with cached pages [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-35192 Django: Django: Session theft due to improper cookie handling with cached pages
bugzilla·2026-05-05·CVSS 2.3
CVE-2026-35192 [LOW] CVE-2026-35192 Django: Django: Session theft due to improper cookie handling with cached pages
CVE-2026-35192 Django: Django: Session theft due to improper cookie handling with cached pages
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Cantina for reporting this issue.
2026-05-05
Published