Vulnerability-Lookup

WID-SEC-W-2026-1807

Vulnerability from csaf_certbund - Published: 2026-06-04 22:00 - Updated: 2026-06-14 22:00

Summary

Django: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen

Severity

Niedrig

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Django ist ein in Python geschriebenes serverseitiges Web-Framework, das einem Model-View-Presenter-Schema folgt.

Angriff: Ein entfernter Angreifer kann mehrere Schwachstellen in Django ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme: - Linux - UNIX - Windows

CVE-2026-35193

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source Django <6.0.6 Open Source / Django		<6.0.6
Open Source Django <5.2.15 Open Source / Django		<5.2.15
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—

CVE-2026-48587

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source Django <6.0.6 Open Source / Django		<6.0.6
Open Source Django <5.2.15 Open Source / Django		<5.2.15
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—

CVE-2026-6873

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source Django <6.0.6 Open Source / Django		<6.0.6
Open Source Django <5.2.15 Open Source / Django		<5.2.15
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—

CVE-2026-7666

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source Django <6.0.6 Open Source / Django		<6.0.6
Open Source Django <5.2.15 Open Source / Django		<5.2.15
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—

CVE-2026-8404

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source Django <6.0.6 Open Source / Django		<6.0.6
Open Source Django <5.2.15 Open Source / Django		<5.2.15
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—

References

14 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.djangoproject.com/weblog/2026/jun/03/…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2484374	external
https://bugzilla.redhat.com/show_bug.cgi?id=2484372	external
https://bugzilla.redhat.com/show_bug.cgi?id=2484373	external
https://bugzilla.redhat.com/show_bug.cgi?id=2484369	external
https://bugzilla.redhat.com/show_bug.cgi?id=2484370	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "niedrig"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Django ist ein in Python geschriebenes serverseitiges Web-Framework, das einem Model-View-Presenter-Schema folgt.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in Django ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1807 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1807.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1807 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1807"
      },
      {
        "category": "external",
        "summary": "Django security releases issued: 6.0.6 and 5.2.15 vom 2026-06-04",
        "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker 2484374 vom 2026-06-04",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484374"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker 2484372 vom 2026-06-04",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484372"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker 2484373 vom 2026-06-04",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484373"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker 2484369 vom 2026-06-04",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484369"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker 2484370 vom 2026-06-04",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484370"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-F140CB16B6 vom 2026-06-05",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-f140cb16b6"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-E4146022CE vom 2026-06-05",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-e4146022ce"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:2318-1 vom 2026-06-10",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026671.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10989-1 vom 2026-06-11",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/REUATFADFSKDGEAD5FBNT64KYCFOOAJO/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20937-1 vom 2026-06-13",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E5P6J4FR77UG6GNYW5MWOMOVNIY3PVJQ/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:11003-1 vom 2026-06-14",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EBFUOCKY23Y5KO6FJT4OSSKQMBVGXPOV/"
      }
    ],
    "source_lang": "en-US",
    "title": "Django: Mehrere Schwachstellen erm\u00f6glichen Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2026-06-14T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-15T07:39:59.592+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1807",
      "initial_release_date": "2026-06-04T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-06-04T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-06-07T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Fedora aufgenommen"
        },
        {
          "date": "2026-06-09T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-06-11T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-06-14T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von openSUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "5"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.2.15",
                "product": {
                  "name": "Open Source Django \u003c5.2.15",
                  "product_id": "T055022"
                }
              },
              {
                "category": "product_version",
                "name": "5.2.15",
                "product": {
                  "name": "Open Source Django 5.2.15",
                  "product_id": "T055022-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:djangoproject:django:5.2.15"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.0.6",
                "product": {
                  "name": "Open Source Django \u003c6.0.6",
                  "product_id": "T055023"
                }
              },
              {
                "category": "product_version",
                "name": "6.0.6",
                "product": {
                  "name": "Open Source Django 6.0.6",
                  "product_id": "T055023-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:djangoproject:django:6.0.6"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Django"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-35193",
      "product_status": {
        "known_affected": [
          "T055023",
          "T055022",
          "T002207",
          "T027843",
          "74185"
        ]
      },
      "release_date": "2026-06-04T22:00:00.000+00:00",
      "title": "CVE-2026-35193"
    },
    {
      "cve": "CVE-2026-48587",
      "product_status": {
        "known_affected": [
          "T055023",
          "T055022",
          "T002207",
          "T027843",
          "74185"
        ]
      },
      "release_date": "2026-06-04T22:00:00.000+00:00",
      "title": "CVE-2026-48587"
    },
    {
      "cve": "CVE-2026-6873",
      "product_status": {
        "known_affected": [
          "T055023",
          "T055022",
          "T002207",
          "T027843",
          "74185"
        ]
      },
      "release_date": "2026-06-04T22:00:00.000+00:00",
      "title": "CVE-2026-6873"
    },
    {
      "cve": "CVE-2026-7666",
      "product_status": {
        "known_affected": [
          "T055023",
          "T055022",
          "T002207",
          "T027843",
          "74185"
        ]
      },
      "release_date": "2026-06-04T22:00:00.000+00:00",
      "title": "CVE-2026-7666"
    },
    {
      "cve": "CVE-2026-8404",
      "product_status": {
        "known_affected": [
          "T055023",
          "T055022",
          "T002207",
          "T027843",
          "74185"
        ]
      },
      "release_date": "2026-06-04T22:00:00.000+00:00",
      "title": "CVE-2026-8404"
    }
  ]
}

CVE-2026-35193 (GCVE-0-2026-35193)

Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:47

Title

Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware

Summary

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Shai Berger for reporting this issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-524 - Use of Cache Containing Sensitive Information

Assigner

DSF

References

3 references

URL	Tags
https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
https://groups.google.com/g/django-announce	mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
djangoproject	Django	Affected: 6.0 , < 6.0.6 (python) Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python)

Date Public

2026-06-03 08:00

Credits

Shai Berger Jacob Walls Natalia Bidart

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35193",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T15:47:08.153480Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T15:47:18.140Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.6",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.15",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.15",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Shai Berger"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jacob Walls"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-06-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.middleware.cache.UpdateCacheMiddleware\u003c/code\u003e in Django does not add \u003ccode\u003eAuthorization\u003c/code\u003e to the \u003ccode\u003eVary\u003c/code\u003e response header for requests bearing that header without \u003ccode\u003eCache-Control: public\u003c/code\u003e, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Shai Berger for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Shai Berger for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-204",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-524",
              "description": "CWE-524: Use of Cache Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T13:16:38.456Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.6 and 5.2.15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-24T00:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-04-28T00:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-06-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-35193",
    "datePublished": "2026-06-03T13:16:38.456Z",
    "dateReserved": "2026-04-01T18:21:23.779Z",
    "dateUpdated": "2026-06-03T15:47:18.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48587 (GCVE-0-2026-48587)

Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:47

Title

Potential exposure of private data via whitespace padding in Vary header

Summary

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1023 - Incomplete Comparison with Missing Factors

Assigner

DSF

References

3 references

URL	Tags
https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
https://groups.google.com/g/django-announce	mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
djangoproject	Django	Affected: 6.0 , < 6.0.6 (python) Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python)

Date Public

2026-06-03 08:00

Credits

Navid Rezazadeh Jake Howard Natalia Bidart

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48587",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T15:47:33.121791Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T15:47:55.165Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.6",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.15",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.15",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Navid Rezazadeh"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jake Howard"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-06-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.utils.cache.has_vary_header()\u003c/code\u003e in Django does not strip leading or trailing whitespace from \u003ccode\u003eVary\u003c/code\u003e response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Navid Rezazadeh for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Navid Rezazadeh for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-204",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1023",
              "description": "CWE-1023: Incomplete Comparison with Missing Factors",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T13:16:47.811Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.6 and 5.2.15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-11T00:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-05-26T00:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-06-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential exposure of private data via whitespace padding in Vary header",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-48587",
    "datePublished": "2026-06-03T13:16:47.811Z",
    "dateReserved": "2026-05-21T20:50:32.465Z",
    "dateUpdated": "2026-06-03T15:47:55.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6873 (GCVE-0-2026-6873)

Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:43

Title

Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie

Summary

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Assigner

DSF

References

3 references

URL	Tags
https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
https://groups.google.com/g/django-announce	mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
djangoproject	Django	Affected: 6.0 , < 6.0.6 (python) Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python)

Date Public

2026-06-03 08:00

Credits

Peng Zhou Paul McMillan Natalia Bidart

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6873",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T15:43:52.491634Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T15:43:58.829Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.6",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.15",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.15",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Peng Zhou"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Paul McMillan"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-06-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.http.HttpRequest.get_signed_cookie\u003c/code\u003e in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct \u003ccode\u003e(name, salt)\u003c/code\u003e pairs that produce the same concatenation.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Peng Zhou for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Peng Zhou for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-475",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-475: Signature Spoofing by Improper Validation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T13:16:03.924Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.6 and 5.2.15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-27T00:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-05-12T00:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-06-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-6873",
    "datePublished": "2026-06-03T13:16:03.924Z",
    "dateReserved": "2026-04-22T18:12:39.603Z",
    "dateUpdated": "2026-06-03T15:43:58.829Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7666 (GCVE-0-2026-7666)

Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:43

Title

Potential unencrypted email transmission via STARTTLS in the SMTP backend

Summary

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

Assigner

DSF

References

3 references

URL	Tags
https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
https://groups.google.com/g/django-announce	mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
djangoproject	Django	Affected: 6.0 , < 6.0.6 (python) Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python)

Date Public

2026-06-03 08:00

Credits

Kasper Dupont Jake Howard Natalia Bidart

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7666",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T15:43:26.714914Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T15:43:34.012Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.6",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.15",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.15",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Kasper Dupont"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jake Howard"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-06-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.core.mail.backends.smtp.EmailBackend\u003c/code\u003e in Django fails to prevent reuse of a partially-initialized connection after a failed \u003ccode\u003eSTARTTLS\u003c/code\u003e handshake when \u003ccode\u003efail_silently=True\u003c/code\u003e, which allows on-path network attackers to read email content via cleartext interception.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Kasper Dupont for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.\n`django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Kasper Dupont for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-94",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-94: Adversary in the Middle (AiTM)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319: Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T13:16:15.446Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.6 and 5.2.15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-22T00:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-05-12T00:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-06-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential unencrypted email transmission via STARTTLS in the SMTP backend",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-7666",
    "datePublished": "2026-06-03T13:16:15.446Z",
    "dateReserved": "2026-05-01T19:59:31.353Z",
    "dateUpdated": "2026-06-03T15:43:34.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8404 (GCVE-0-2026-8404)

Vulnerability from cvelistv5 – Published: 2026-06-03 13:16 – Updated: 2026-06-03 15:46

Title

Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware

Summary

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.

Severity

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-178 - Improper Handling of Case Sensitivity

Assigner

DSF

References

3 references

URL	Tags
https://docs.djangoproject.com/en/dev/releases/se…	vendor-advisory
https://groups.google.com/g/django-announce	mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
djangoproject	Django	Affected: 6.0 , < 6.0.6 (python) Unaffected: 6.0.6 (python) Affected: 5.2 , < 5.2.15 (python) Unaffected: 5.2.15 (python)

Date Public

2026-06-03 08:00

Credits

Ahmed Badawe Jake Howard Natalia Bidart

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8404",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T15:46:33.911128Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T15:46:40.439Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/Django/",
          "defaultStatus": "unaffected",
          "packageName": "django",
          "product": "Django",
          "repo": "https://github.com/django/django/",
          "vendor": "djangoproject",
          "versions": [
            {
              "lessThan": "6.0.6",
              "status": "affected",
              "version": "6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "python"
            },
            {
              "lessThan": "5.2.15",
              "status": "affected",
              "version": "5.2",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "5.2.15",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Ahmed Badawe"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jake Howard"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Natalia Bidart"
        }
      ],
      "datePublic": "2026-06-03T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\u003c/p\u003e\u003cp\u003e\u003ccode\u003edjango.middleware.cache.UpdateCacheMiddleware\u003c/code\u003e in Django does not match \u003ccode\u003eCache-Control\u003c/code\u003e response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their \u003ccode\u003eCache-Control\u003c/code\u003e directives used uppercase or mixed-case values.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Ahmed Badawe for reporting this issue.\u003c/p\u003e"
            }
          ],
          "value": "An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.\n`django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmed Badawe for reporting this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-204",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-204: Lifting Sensitive Data Embedded in Cache"
            }
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
              "value": "low"
            },
            "type": "Django severity rating"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178: Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T13:16:29.593Z",
        "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "shortName": "DSF"
      },
      "references": [
        {
          "name": "Django security archive",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.djangoproject.com/en/dev/releases/security/"
        },
        {
          "name": "Django releases announcements",
          "tags": [
            "mailing-list"
          ],
          "url": "https://groups.google.com/g/django-announce"
        },
        {
          "name": "Django security releases issued: 6.0.6 and 5.2.15",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.djangoproject.com/weblog/2026/jun/03/security-releases/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-06T00:00:00.000Z",
          "value": "Initial report received."
        },
        {
          "lang": "en",
          "time": "2026-05-12T00:00:00.000Z",
          "value": "Vulnerability confirmed."
        },
        {
          "lang": "en",
          "time": "2026-06-03T08:00:00.000Z",
          "value": "Security release issued."
        }
      ],
      "title": "Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
    "assignerShortName": "DSF",
    "cveId": "CVE-2026-8404",
    "datePublished": "2026-06-03T13:16:29.593Z",
    "dateReserved": "2026-05-12T15:06:18.803Z",
    "dateUpdated": "2026-06-03T15:46:40.439Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1807

CVE-2026-35193 (GCVE-0-2026-35193)

CVE-2026-48587 (GCVE-0-2026-48587)

CVE-2026-6873 (GCVE-0-2026-6873)

CVE-2026-7666 (GCVE-0-2026-7666)

CVE-2026-8404 (GCVE-0-2026-8404)

Tags

Sightings

Nomenclature