Description
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Ahmed Badawe for reporting this issue.
Published: 2026-06-03
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Django versions 5.2 prior to 5.2.15 and 6.0 prior to 6.0.6 contain a flaw in UpdateCacheMiddleware where the Cache-Control response directives are matched case-sensitively. If a response header uses uppercase or mixed‑case values, the middleware may cache the response despite the presence of a no‑cache directive, allowing an attacker to retrieve data that should have been protected. The weakness manifests as inadvertent disclosure of private or sensitive information through cached responses.

Affected Systems

All deployments of Django 5.2 before 5.2.15 and Django 6.0 before 6.0.6 are impacted. The ad‑hoc mention of older unsupported series such as 5.0.x, 4.1.x, and 3.2.x suggests that these may also exhibit the same behavior, but no official assessment is provided.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity vulnerability. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, implying limited publicly documented exploitation. The attack surface is remote, hinging on the presence of UpdateCacheMiddleware and mis‑configured Cache‑Control headers; an attacker can trigger the insecure caching behavior from anywhere over the network by sending crafted HTTP requests.

Generated by OpenCVE AI on June 4, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to the latest release (at least 5.2.15 or 6.0.6) where Cache‑Control directives are matched case‑insensitively.
  • Remove or replace UpdateCacheMiddleware for sensitive views until the update is applied.
  • Clear existing cache entries that may have been stored incorrectly before applying the patch and verify that subsequent responses respect appropriate caching policies.

Generated by OpenCVE AI on June 4, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Thu, 04 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1289
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.
Title Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
Weaknesses CWE-178
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-06-03T15:46:40.439Z

Reserved: 2026-05-12T15:06:18.803Z

Link: CVE-2026-8404

cve-icon Vulnrichment

Updated: 2026-06-03T15:46:37.589Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T14:16:47.650

Modified: 2026-06-05T12:38:18.840

Link: CVE-2026-8404

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-03T13:16:29Z

Links: CVE-2026-8404 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T01:45:46Z

Weaknesses
  • CWE-1289

    Improper Validation of Unsafe Equivalence in Input

  • CWE-178

    Improper Handling of Case Sensitivity