CVE-2026-8404 PUBLISHED

Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware

Assigner: DSF
Reserved: 12.05.2026 Published: 03.06.2026 Updated: 03.06.2026

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their Cache-Control directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.3

Product Status

Vendor djangoproject
Product Django
Versions Default: unaffected
  • affected from 6.0 to 6.0.6 (excl.)
  • Version 6.0.6 is unaffected
  • affected from 5.2 to 5.2.15 (excl.)
  • Version 5.2.15 is unaffected

Credits

  • Ahmed Badawe reporter
  • Jake Howard remediation developer
  • Natalia Bidart coordinator

References

Problem Types

  • CWE-178: Improper Handling of Case Sensitivity CWE

Impacts

  • CAPEC-204: Lifting Sensitive Data Embedded in Cache