Description
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Ahmed Badawe for reporting this issue.
Published: 2026-06-03
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Django versions 5.2 prior to 5.2.15 and 6.0 prior to 6.0.6 contain a flaw in UpdateCacheMiddleware where the Cache-Control response directives are matched case-sensitively. If a response header uses uppercase or mixed‑case values, the middleware may cache the response despite the presence of a no‑cache directive, allowing an attacker to retrieve data that should have been protected. The weakness manifests as inadvertent disclosure of private or sensitive information through cached responses.

Affected Systems

All deployments of Django 5.2 before 5.2.15 and Django 6.0 before 6.0.6 are impacted. The ad‑hoc mention of older unsupported series such as 5.0.x, 4.1.x, and 3.2.x suggests that these may also exhibit the same behavior, but no official assessment is provided.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity vulnerability. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, implying limited publicly documented exploitation. The attack surface is remote, hinging on the presence of UpdateCacheMiddleware and mis‑configured Cache‑Control headers; an attacker can trigger the insecure caching behavior from anywhere over the network by sending crafted HTTP requests.

Generated by OpenCVE AI on June 3, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to the latest release (at least 5.2.15 or 6.0.6) where Cache‑Control directives are matched case‑insensitively.
  • Remove or replace UpdateCacheMiddleware for sensitive views until the update is applied.
  • Clear existing cache entries that may have been stored incorrectly before applying the patch and verify that subsequent responses respect appropriate caching policies.

Generated by OpenCVE AI on June 3, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.
Title Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
Weaknesses CWE-178
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-06-03T15:46:40.439Z

Reserved: 2026-05-12T15:06:18.803Z

Link: CVE-2026-8404

cve-icon Vulnrichment

Updated: 2026-06-03T15:46:37.589Z

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:47.650

Modified: 2026-06-03T14:16:47.650

Link: CVE-2026-8404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T16:00:13Z

Weaknesses