CVE-2026-48587
published 2026-06-03CVE-2026-48587: An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing…
PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.35%
27.2th percentile
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Navid Rezazadeh for reporting this issue.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-24 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-25 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | eda-controller-rhel9 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| ansible-automation-platform-26 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | aap-cloud-billing-rhel9 | — | — |
| ansible-automation-platform-27 | controller-rhel9 | — | — |
| ansible-automation-platform-27 | eda-controller-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | hub-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-27 | metrics-service-rhel9 | — | — |
| ansible-automation-platform-tech-preview | metrics-service-rhel9 | — | — |
| ansible-automation-platform | automation-dashboard-rhel9 | — | — |
| discovery | discovery-server-rhel9 | — | — |
| djangoproject | django | >= 5.2 < 5.2.15 | 5.2.15 |
| djangoproject | django | >= 6.0 < 6.0.6 | 6.0.6 |
| satellite | iop-advisor-backend-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Django up to 5.2.14/6.0.5 Response Header django.utils.cache.has_vary_header incomplete comparison with missing factors (Nessus ID 318785 / WID-SEC-2026-1807)
vuldb·2026-06-08·CVSS 5.3
CVE-2026-48587 [MEDIUM] Django up to 5.2.14/6.0.5 Response Header django.utils.cache.has_vary_header incomplete comparison with missing factors (Nessus ID 318785 / WID-SEC-2026-1807)
A vulnerability marked as problematic has been reported in Django up to 5.2.14/6.0.5. Affected by this issue is the function django.utils.cache.has_vary_header of the component Response Header Handler. Performing a manipulation results in incomplete comparison with missing factors.
This vulnerability is reported as CVE-2026-48587. The attack is possible to be carried out remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
ghsa_unreviewed·2026-06-03
CVE-2026-48587 [LOW] CWE-1023 An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Navid Rezazadeh for reporting this issue.
Red Hat
django: Django: Information disclosure via improper handling of Vary header whitespace
vendor_redhat·2026-06-03·CVSS 2.3
CVE-2026-48587 [LOW] CWE-524 django: Django: Information disclosure via improper handling of Vary header whitespace
django: Django: Information disclosure via improper handling of Vary header whitespace
A flaw was found in Django. Remote attackers can exploit this vulnerability due to `django.utils.cache.has_vary_header()` not properly stripping whitespace from `Vary` response header values. This allows an attacker to read cached responses by sending requests to URLs with whitespace-padded `Vary` header values, leading to information disclosure.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: ansible-automation-platform-24/lightspeed-rhel8 (Red Hat Ansible Automation Platform 2) - Fix deferred
Pa
No detection rules found.
No public exploits indexed.
2026-06-03
Published