Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Cantina for reporting this issue.
Published: 2026-05-05
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in Django 6.0 prior to 6.0.5 and 5.2 prior to 5.2.14 allows an attacker to hijack a user’s session. When the setting SESSION_SAVE_EVERY_REQUEST is enabled, response headers for cached public pages do not vary on cookies if the session is unchanged. A remote attacker can then obtain the user’s legitimate session cookie from a cached page and use it to impersonate that user, potentially accessing or modifying sensitive data. This falls under CWE‑539 and can lead to confidentiality and integrity compromise for affected users.

Affected Systems

The vulnerability affects Django versions 6.0 before 6.0.5 and 5.2 before 5.2.14. Earlier but unsupported series such as 5.0.x, 4.1.x, and 3.2.x may also be impacted, though they were not explicitly evaluated. All installations that enable SESSION_SAVE_EVERY_REQUEST and expose cached public pages without proper cache validation are at risk.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, but the vulnerability is remotely exploitable via cached content and is not yet listed in the CISA KEV catalog. The EPSS score is not available, so the exact likelihood of exploitation is uncertain. Likely an attacker could discover cached pages, capture session cookies, and then use them to impersonate users. The impact to a single session translates to potential compromise of user accounts and data for each affected application.

Generated by OpenCVE AI on May 5, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to at least 6.0.5 or 5.2.14 where the issue is fixed.
  • If an immediate upgrade is not feasible, set SESSION_SAVE_EVERY_REQUEST to False to stop the server from sending identical response headers for cached pages.
  • Configure caching so that public cached pages vary their response headers based on the session cookie or remove caching altogether for any page that can reveal session information.

Generated by OpenCVE AI on May 5, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8232-1 Django vulnerabilities
History

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
Title Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
Weaknesses CWE-539
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-05-05T14:50:29.984Z

Reserved: 2026-04-01T18:21:23.779Z

Link: CVE-2026-35192

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-05T16:16:12.383

Modified: 2026-05-05T19:34:40.250

Link: CVE-2026-35192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:00:13Z

Weaknesses