PT-2026-45938 · Django · Django
Jacob Walls
+2
·
Published
2026-06-03
·
Updated
2026-06-06
·
CVE-2026-35193
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Django versions prior to 5.2.15
Django versions prior to 6.0.6
Description
An issue exists in
django.middleware.cache.UpdateCacheMiddleware where the Authorization header is not added to the Vary response header for requests that include that header but lack Cache-Control: public. This allows remote attackers to access private cached responses by making unauthenticated requests to the same URL.Recommendations
Update to version 5.2.15 or newer.
Update to version 6.0.6 or newer.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Django