CVE-2026-6907

MEDIUM4.3EPSS 0.03%

Django Uses Cache Containing Sensitive Information

Published: 5/5/2026Modified: 5/20/2026

Also known as:GHSA-5hrc-gvxj-w55pBIT-django-2026-6907CGA-qqqg-gr94-jr5cPYSEC-2026-55

Description

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django thanks Ahmad Sadeddin for reporting this issue.

Affected packages (4)

Bitnami/django>= 5.2.0, < 5.2.14, >= 6.0.0, < 6.0.5
Debian/python-djangofrom 0
PyPI/django>= 6.0, < 6.0.5
PyPI/django>= 5.2, < 5.2.14, >= 6.0, < 6.0.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

References (8)

ADVISORYhttps://docs.djangoproject.com/en/dev/releases/security/
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-6907
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-6907
ADVISORYhttps://www.djangoproject.com/weblog/2026/may/05/security-releases/
PATCHhttps://github.com/django/django
WEBhttps://docs.djangoproject.com/en/dev/releases/security
WEBhttps://groups.google.com/g/django-announce
WEBhttps://www.djangoproject.com/weblog/2026/may/05/security-releases