PT-2026-37078 · Django Software Foundation+2 · Django+2

Ahmad Sadeddin

Published

2026-05-05

Updated

2026-05-09

CVE-2026-6907

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Django versions 6.0 through 6.0.4 Django versions 5.2 through 5.2.13

Description An issue in django.middleware.cache.UpdateCacheMiddleware causes requests where the Vary header contains an asterisk ('*') to be erroneously cached. This behavior can lead to the storage and subsequent delivery of private data to unauthorized users.

Recommendations Update to version 6.0.5 for versions 6.0 through 6.0.4. Update to version 5.2.14 for versions 5.2 through 5.2.13.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-524

Related Identifiers

BIT-DJANGO-2026-6907

CVE-2026-6907

GHSA-5HRC-GVXJ-W55P

OESA-2026-2217

OESA-2026-2218

OESA-2026-2219

OESA-2026-2220

OPENSUSE-SU-2026:10708-1

OPENSUSE-SU-2026:10709-1

OPENSUSE-SU-2026:10718-1

PYSEC-2026-55

USN-8232-1

Affected Products

Django

Linuxmint

Ubuntu

PT-2026-37078 · Django Software Foundation+2 · Django+2

CVE-2026-6907

Weakness Enumeration

Related Identifiers

Affected Products

References · 42