CVE-2026-48587 PUBLISHED

Potential exposure of private data via whitespace padding in Vary header

Assigner: DSF
Reserved: 21.05.2026 Published: 03.06.2026 Updated: 03.06.2026

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.has_vary_header() in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.3

Product Status

Vendor djangoproject
Product Django
Versions Default: unaffected
  • affected from 6.0 to 6.0.6 (excl.)
  • Version 6.0.6 is unaffected
  • affected from 5.2 to 5.2.15 (excl.)
  • Version 5.2.15 is unaffected

Credits

  • Navid Rezazadeh reporter
  • Jake Howard remediation developer
  • Natalia Bidart coordinator

References

Problem Types

  • CWE-1023: Incomplete Comparison with Missing Factors CWE

Impacts

  • CAPEC-204: Lifting Sensitive Data Embedded in Cache