Description
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Navid Rezazadeh for reporting this issue.
Published: 2026-06-03
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Django’s cache header handling routine. The function used to determine whether a cached response matches a new request compares the Vary header values without trimming any leading or trailing whitespace. Because the comparison does not discard padding, responses that differ only by whitespace are treated as distinct cache entries. By sending a request to a URL whose response contains a whitespace‑padded Vary header, an attacker can retrieve a cached response that was not intended for public consumption. The vulnerability allows remote parties to read private or sensitive data that has been cached by the application, without requiring authentication or elevated privileges, thereby exposing confidential information.

Affected Systems

The issue affects Django branches 5.2.x before 5.2.15 and 6.0.x before 6.0.6. Older, unsupported series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated, but they might contain the same code path and therefore could also be impacted.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV, suggesting limited exploitation in the wild. The attack is remote; any user with the ability to send HTTP requests to a Django application can potentially exploit the flaw. The risk is modest but the impact is the disclosure of data that was once protected by caching rules.

Generated by OpenCVE AI on June 3, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Django patch by upgrading to Django 5.2.15 or newer, or to Django 6.0.6 or newer, which trims whitespace from Vary header values before comparison.
  • If an immediate upgrade is not possible, implement a middleware that normalizes Vary header values—removing leading and trailing whitespace—before they are stored or compared in the cache.
  • Restrict caching of sensitive responses by setting appropriate Cache‑Control headers such as private or no‑store, or by configuring Vary headers to exclude sensitive data from cached entries.

Generated by OpenCVE AI on June 3, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.
Title Potential exposure of private data via whitespace padding in Vary header
Weaknesses CWE-1023
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-06-03T13:16:47.811Z

Reserved: 2026-05-21T20:50:32.465Z

Link: CVE-2026-48587

cve-icon Vulnrichment

Updated: 2026-06-03T15:47:38.003Z

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:44.983

Modified: 2026-06-03T14:16:44.983

Link: CVE-2026-48587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T16:30:36Z

Weaknesses