Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Ahmad Sadeddin for reporting this issue.
Published: 2026-05-05
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Django’s UpdateCacheMiddleware, which mistakenly caches responses that include a Vary header with an asterisk character. This incorrect handling causes private data to be stored in the cache and later served to other users. The weakness is a form of insecure data storage and is identified as CWE‑524, leading to potential confidentiality breaches.

Affected Systems

Django 6.0 releases before 6.0.5 and Django 5.2 releases before 5.2.14 are affected. Earlier, unsupported Django series such as 5.0.x, 4.1.x and 3.2.x may also be impacted.

Risk and Exploitability

The CVSS score of 2.3 indicates low overall severity, and the EPSS score is not available, so the likelihood of exploitation is unclear. The vulnerability can be triggered by any HTTP request that passes through UpdateCacheMiddleware and contains a Vary header with '*', which is common in typical web traffic. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 5, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Django 6.0.5 or later, or Django 5.2.14 or later, or upgrade to a supported release that includes the fix.
  • Ensure that UpdateCacheMiddleware is disabled or configured not to cache responses with a Vary header that contains '*'.
  • If an immediate upgrade is not possible, modify or replace the middleware to strip or correct the '*' character from Vary headers before caching.

Generated by OpenCVE AI on May 5, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5hrc-gvxj-w55p Django Uses Cache Containing Sensitive Information
Ubuntu USN Ubuntu USN USN-8232-1 Django vulnerabilities
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.
Title Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware
Weaknesses CWE-524
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-05-06T15:25:33.698Z

Reserved: 2026-04-23T11:19:30.877Z

Link: CVE-2026-6907

cve-icon Vulnrichment

Updated: 2026-05-05T17:03:49.787Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T16:16:18.227

Modified: 2026-05-07T14:16:04.940

Link: CVE-2026-6907

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-05T14:50:02Z

Links: CVE-2026-6907 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:00:12Z

Weaknesses