Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Ahmad Sadeddin for reporting this issue.
Published: 2026-05-05
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Django’s UpdateCacheMiddleware, which mistakenly caches responses that include a Vary header with an asterisk character. This incorrect handling causes private data to be stored in the cache and later served to other users. The weakness is a form of insecure data storage and is identified as CWE‑524, leading to potential confidentiality breaches.

Affected Systems

Django 6.0 releases before 6.0.5 and Django 5.2 releases before 5.2.14 are affected. Earlier, unsupported Django series such as 5.0.x, 4.1.x and 3.2.x may also be impacted.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, and the EPSS score is not available, so the likelihood of exploitation is unclear. The vulnerability can be triggered by any HTTP request that passes through UpdateCacheMiddleware and contains a Vary header with '*', which is common in typical web traffic. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 5, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Django 6.0.5 or later, or Django 5.2.14 or later, or upgrade to a supported release that includes the fix.
  • Ensure that UpdateCacheMiddleware is disabled or configured not to cache responses with a Vary header that contains '*'.
  • If an immediate upgrade is not possible, modify or replace the middleware to strip or correct the '*' character from Vary headers before caching.

Generated by OpenCVE AI on May 5, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8232-1 Django vulnerabilities
History

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.
Title Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
Weaknesses CWE-524
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-05-05T14:50:02.594Z

Reserved: 2026-04-23T11:19:30.877Z

Link: CVE-2026-6907

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-05T16:16:18.227

Modified: 2026-05-05T19:34:40.250

Link: CVE-2026-6907

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:00:12Z

Weaknesses