Description
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Shai Berger for reporting this issue.
Published: 2026-06-03
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Django’s UpdateCacheMiddleware, which fails to add the Authorization header to the Vary response field for requests that include an Authorization token but lack a Cache‑Control: public directive. This omission allows an attacker who can unauthenticatedly request the same URL to retrieve the cached response containing privileged user data. The flaw is classified as CWE‑524: Information Exposure through Missing Permissions.

Affected Systems

Products affected are Django prior to version 5.2.15 and prior to 6.0.6, including the 5.2 and 6.0 series. Earlier, unmaintained releases such as Django 5.0.x, 4.1.x and 3.2.x were not explicitly evaluated but may also be impacted.

Risk and Exploitability

The CVSS score of 2.3 denotes a low severity impact, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known exploit. However, the attack vector is remote over HTTP, and the flaw permits information disclosure if a cached response can be accessed. Because the EPSS score is currently unavailable, the likelihood of exploitation remains uncertain but potentially higher in environments where caching is enabled for authenticated content.

Generated by OpenCVE AI on June 3, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to version 5.2.15, 6.0.6, or later where the missing Vary header issue is fixed.
  • If you cannot upgrade immediately, configure your application to either disable caching for responses that contain user‑specific data or to inject a Vary: Authorization header manually for authenticated requests.
  • Review all custom caching middleware or reverse proxies to ensure they respect the Authorization header and do not serve cached responses from authenticated users to unauthenticated clients.

Generated by OpenCVE AI on June 3, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Shai Berger for reporting this issue.
Title Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
Weaknesses CWE-524
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-06-03T13:16:38.456Z

Reserved: 2026-04-01T18:21:23.779Z

Link: CVE-2026-35193

cve-icon Vulnrichment

Updated: 2026-06-03T15:47:14.925Z

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:41.247

Modified: 2026-06-03T14:16:41.247

Link: CVE-2026-35193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T15:30:26Z

Weaknesses