Django Software Foundation · Django · CVE-2026-6907
**Name of the Vulnerable Software and Affected Versions**
Django versions 6.0 through 6.0.4
Django versions 5.2 through 5.2.13
**Description**
An issue in `django.middleware.cache.UpdateCacheMiddleware` causes requests where the `Vary` header contains an asterisk (`'*'`) to be erroneously cached. This behavior can lead to the storage and subsequent delivery of private data to unauthorized users.
**Recommendations**
Update to version 6.0.5 for versions 6.0 through 6.0.4.
Update to version 5.2.14 for versions 5.2 through 5.2.13.