Description
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Navid Rezazadeh for reporting this issue.
Published: 2026-06-03
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Django’s cache header handling routine. The function used to determine whether a cached response matches a new request compares the Vary header values without trimming any leading or trailing whitespace. Because the comparison does not discard padding, responses that differ only by whitespace are treated as distinct cache entries. By sending a request to a URL whose response contains a whitespace‑padded Vary header, an attacker can retrieve a cached response that was not intended for public consumption. The vulnerability allows remote parties to read private or sensitive data that has been cached by the application, without requiring authentication or elevated privileges, thereby exposing confidential information.

Affected Systems

The issue affects Django branches 5.2.x before 5.2.15 and 6.0.x before 6.0.6. Older, unsupported series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated, but they might contain the same code path and therefore could also be impacted.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV, suggesting limited exploitation in the wild. The attack is remote; any user with the ability to send HTTP requests to a Django application can potentially exploit the flaw. The risk is modest but the impact is the disclosure of data that was once protected by caching rules.

Generated by OpenCVE AI on June 4, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Django patch by upgrading to Django 5.2.15 or newer, or to Django 6.0.6 or newer, which trims whitespace from Vary header values before comparison.
  • If an immediate upgrade is not possible, implement a middleware that normalizes Vary header values—removing leading and trailing whitespace—before they are stored or compared in the cache.
  • Restrict caching of sensitive responses by setting appropriate Cache‑Control headers such as private or no‑store, or by configuring Vary headers to exclude sensitive data from cached entries.

Generated by OpenCVE AI on June 4, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Thu, 04 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-524
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.
Title Potential exposure of private data via whitespace padding in Vary header
Weaknesses CWE-1023
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-06-03T15:47:55.165Z

Reserved: 2026-05-21T20:50:32.465Z

Link: CVE-2026-48587

cve-icon Vulnrichment

Updated: 2026-06-03T15:47:38.003Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T14:16:44.983

Modified: 2026-06-05T13:03:01.210

Link: CVE-2026-48587

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-03T13:16:47Z

Links: CVE-2026-48587 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T01:45:46Z

Weaknesses
  • CWE-1023

    Incomplete Comparison with Missing Factors

  • CWE-524

    Use of Cache Containing Sensitive Information