Description
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16.
`UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Chris Whyland for reporting this issue.
Published: 2026-07-07
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue lies in Django's caching middleware and decorator, which incorrectly cache responses that vary based on cookies when the request contains unrelated cookies. This behavior allows an attacker to read private data from a shared cache, resulting in information disclosure. The weakness is CWE-524, relating to incorrect handling of sensitive information.

Affected Systems

Affected versions are Django 6.0 prior to 6.0.7 and Django 5.2 prior to 5.2.16. Earlier series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated and may also be vulnerable. The vulnerable component is the UpdateCacheMiddleware and the cache_page decorator that store cookie‑varying content in the cache.

Risk and Exploitability

The CVSS score of 2.3 denotes a low severity vulnerability. No EPSS score is available, and the issue is not listed in CISA's KEV catalog. Exploitation requires an attacker to send a request with unrelated cookies to a Django application using the affected middleware or decorator, causing the server to cache the response. The attacker can then retrieve cached content at a later time to read private data.

Generated by OpenCVE AI on July 8, 2026 at 09:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to version 6.0.7 or later, or 5.2.16 or later to apply the patch.
  • If upgrading immediately is not possible, disable caching for responses that include Set-Cookie headers or configure cache settings to prevent cookie‑dependent content from being stored.
  • Review your middleware configuration to ensure that only cookie‑specific cache keys are generated and that sensitive data is not cached in shared caches.

Generated by OpenCVE AI on July 8, 2026 at 09:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Tue, 07 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 07 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Chris Whyland for reporting this issue.
Title Potential exposure of private data via cached Set-Cookie response
Weaknesses CWE-524
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-07-07T14:59:53.337Z

Reserved: 2026-05-21T20:50:32.466Z

Link: CVE-2026-48588

cve-icon Vulnrichment

Updated: 2026-07-07T14:59:49.237Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T09:15:03Z

Weaknesses
  • CWE-524

    Use of Cache Containing Sensitive Information