CVE-2026-6907
published 2026-05-05CVE-2026-6907: An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary`…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.36%
27.7th percentile
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Ahmad Sadeddin for reporting this issue.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-24 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-25 | lightspeed-rhel8 | — | — |
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | eda-controller-rhel9 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| ansible-automation-platform-26 | lightspeed-rhel9 | — | — |
| ansible-automation-platform-tech-preview | metrics-service-rhel9 | — | — |
| ansible-automation-platform | automation-dashboard-rhel9 | — | — |
| debian | python-django | — | — |
| discovery | discovery-server-rhel9 | — | — |
| djangoproject | django | >= 5.2 < 5.2.14 | 5.2.14 |
| djangoproject | django | >= 5.2 < 5.2.14 | 5.2.14 |
| djangoproject | django | >= 6.0 < 6.0.5 | 6.0.5 |
| djangoproject | django | >= 6.0 < 6.0.5 | 6.0.5 |
| satellite | iop-advisor-backend-rhel9 | — | — |
| satellite_el8 | python-django | — | — |
| ubuntu | python-django | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat2.3LOW
vendor_ubuntu2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2026-05-05·CVSS 2.3
CVE-2026-6907 [LOW] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django did not vary cached response headers on
cookies when sessions were not modified while SESSION_SAVE_EVERY_REQUEST
was enabled. A remote attacker could possibly use this issue to steal a
user's session. (CVE-2026-35192)
Kyle Agronick and Jacob Walls discovered that Django incorrectly handled
ASGI requests with missing or understated Content-Length header values.
A remote attacker could possibly use this issue to cause Django to use
excessive resources, leading to a denial of service. (CVE-2026-5766)
Ahmad Sadeddin discovered that Django UpdateCacheMiddleware incorrectly
cached requests where the Vary header contained an asterisk. A remote
attacker could possibly use this iss
Red Hat
django: Django: Information Disclosure via erroneous caching of Vary header with asterisk
vendor_redhat·2026-05-05·CVSS 2.3
CVE-2026-6907 [LOW] CWE-524 django: Django: Information Disclosure via erroneous caching of Vary header with asterisk
django: Django: Information Disclosure via erroneous caching of Vary header with asterisk
A flaw was found in Django. The `django.middleware.cache.UpdateCacheMiddleware` component incorrectly caches web requests when the `Vary` header contains an asterisk ('*'). This error can lead to sensitive private data being stored in the cache and subsequently served to unauthorized users, resulting in information disclosure.
Mitigation: To mitigate this issue, disable the `django.middleware.cache.UpdateCacheMiddleware` in your Django application's `settings.py` file by removing it from the `MIDDLEWARE` list. This action prevents the erroneous caching of requests with an asterisk in the `Vary` header, thereby eliminating the information disclosure vulnerability. Be aware that disabling this middlew
VulDB
Django up to 5.2.13/6.0.4 django.middleware.cache.UpdateCacheMiddleware cache containing sensitive information
vuldb·2026-05-05·CVSS 2.3
CVE-2026-6907 [LOW] Django up to 5.2.13/6.0.4 django.middleware.cache.UpdateCacheMiddleware cache containing sensitive information
A vulnerability has been found in Django up to 5.2.13/6.0.4 and classified as problematic. Affected is an unknown function of the component django.middleware.cache.UpdateCacheMiddleware. The manipulation leads to use of cache containing sensitive information.
This vulnerability is uniquely identified as CVE-2026-6907. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
GHSA
GHSA-5hrc-gvxj-w55p: An issue was discovered in 6
ghsa_unreviewed·2026-05-05
CVE-2026-6907 [LOW] CWE-524 GHSA-5hrc-gvxj-w55p: An issue was discovered in 6
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Ahmad Sadeddin for reporting this issue.
GHSA
Django Uses Cache Containing Sensitive Information
ghsa·2026-05-05
CVE-2026-6907 [LOW] CWE-524 Django Uses Cache Containing Sensitive Information
Django Uses Cache Containing Sensitive Information
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django thanks Ahmad Sadeddin for reporting this issue.
No detection rules found.
No public exploits indexed.
2026-05-05
Published