CVE-2026-6907 PUBLISHED

Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware

Assigner: DSF
Reserved: 23.04.2026 Published: 05.05.2026 Updated: 05.05.2026

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ('*'). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	djangoproject
Product	Django
Versions	Default: unaffected affected from 6.0 to 6.0.5 (excl.) Version 6.0.5 is unaffected affected from 5.2 to 5.2.14 (excl.) Version 5.2.14 is unaffected

Credits

Ahmad Sadeddin reporter
Sarah Boyce remediation developer
Sarah Boyce coordinator

References

Problem Types

CWE-524: Use of Cache Containing Sensitive Information CWE

Impacts

CAPEC-204: Lifting Sensitive Data Embedded in Cache