Potential exposure of private data due to incorrect handling of...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Description

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Ahmad Sadeddin for reporting this issue.

Basic Information

ID CVE-2026-6907

Source DSF

Published May 5, 2026 at 14:50

Affected Product

Vendor djangoproject

Product Django

Version 6.0

Affected Versions djangoproject Django 6.0
djangoproject Django 5.2

CWE Classification

CWE-524

References

{
    "lastseen": "",
    "description": "An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.\n`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Ahmad Sadeddin for reporting this issue.",
    "published": "2026-05-05T14:50:02.594Z",
    "modified": "2026-05-05T14:50:02.594Z",
    "type": "cve",
    "title": "Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware",
    "source": "DSF",
    "references": "https://docs.djangoproject.com/en/dev/releases/security/\nhttps://groups.google.com/g/django-announce\nhttps://www.djangoproject.com/weblog/2026/may/05/security-releases/",
    "id": "CVE-2026-6907",
    "bulletinFamily": "",
    "cwe": [
        "CWE-524"
    ],
    "cvelist": null,
    "sourceData": "djangoproject Django 6.0\ndjangoproject Django 5.2",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Django",
    "version": "6.0",
    "vendor": "djangoproject",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Potential exposure of private data due to incorrect handling of Vary: * in UpdateCacheMiddleware_CVE-2026-6907