CVE-2026-35193
published 2026-06-03CVE-2026-35193: An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add…
PriorityP417low3.1CVSS 3.1
AVNACHPRNUIRSUCLINAN
EPSS
0.36%
27.9th percentile
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Shai Berger for reporting this issue.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-24 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-25 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | eda-controller-rhel9 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| ansible-automation-platform-26 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | aap-cloud-billing-rhel9 | — | — |
| ansible-automation-platform-27 | controller-rhel9 | — | — |
| ansible-automation-platform-27 | eda-controller-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | hub-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | metrics-service-rhel9 | — | — |
| ansible-automation-platform-tech-preview | metrics-service-rhel9 | — | — |
| ansible-automation-platform | automation-dashboard-rhel9 | — | — |
| discovery | discovery-server-rhel9 | — | — |
| djangoproject | django | >= 5.2 < 5.2.15 | 5.2.15 |
| djangoproject | django | >= 6.0 < 6.0.6 | 6.0.6 |
| satellite | iop-advisor-backend-rhel9 | — | — |
CVSS provenance
nvdv3.13.1LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
ghsa_unreviewed·2026-06-03
CVE-2026-35193 [LOW] CWE-524 An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Shai Berger for reporting this issue.
Red Hat
django: Django: Information disclosure due to improper caching of authenticated responses
vendor_redhat·2026-06-03·CVSS 2.3
CVE-2026-35193 [LOW] CWE-524 django: Django: Information disclosure due to improper caching of authenticated responses
django: Django: Information disclosure due to improper caching of authenticated responses
A flaw was found in Django. This vulnerability allows a remote attacker to read private cached responses. This occurs because the `UpdateCacheMiddleware` in Django does not correctly add the `Authorization` header to the `Vary` response header for requests that include an `Authorization` header but lack `Cache-Control: public`. Consequently, unauthenticated requests to the same URL can access sensitive cached information.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: ansible-automation-platfor
No detection rules found.
No public exploits indexed.
2026-06-03
Published