CVE-2026-35192 PUBLISHED

Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

Assigner: DSF
Reserved: 01.04.2026 Published: 05.05.2026 Updated: 05.05.2026

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	djangoproject
Product	Django
Versions	Default: unaffected affected from 6.0 to 6.0.5 (excl.) Version 6.0.5 is unaffected affected from 5.2 to 5.2.14 (excl.) Version 5.2.14 is unaffected

Credits

Cantina reporter
Jake Howard remediation developer
Sarah Boyce coordinator

References

Problem Types

CWE-539: Use of Persistent Cookies Containing Sensitive Information CWE

Impacts

CAPEC-60: Reusing Session IDs (aka Session Replay)