CVE-2026-35192
Undergoing Analysis Undergoing Analysis - In Progress
Session Fixation in Django Web Framework

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: Django Software Foundation

Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-05-07
AI Q&A
2026-05-05
EPSS Evaluated
N/A
NVD
CVE-2026-35192
EUVD
EUVD-2026-27347
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
django django to 5.2.14 (exc)
django django to 6.0.5 (exc)
django django 3.2
django django 4.1
django django 5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-539 The web application uses persistent cookies, but the cookies contain sensitive information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-35192 is a session fixation vulnerability in Django versions before 6.0.5 and 5.2.14. The issue occurs because response headers do not vary on cookies if a session is not modified, but the setting SESSION_SAVE_EVERY_REQUEST is set to True. This allows a remote attacker to steal a user's session after the user visits a cached public page.

Earlier unsupported Django versions such as 5.0.x, 4.1.x, and 3.2.x may also be affected.


How can this vulnerability impact me? :

This vulnerability can allow a remote attacker to steal a user's session. If an attacker obtains a valid session, they can impersonate the user and potentially gain unauthorized access to the user's account or data.

The impact is considered low severity according to Django's security policy, but it still poses a risk of session hijacking when SESSION_SAVE_EVERY_REQUEST is enabled and cached public pages are visited.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Django to a fixed version later than 6.0.5 or 5.2.14 where the issue has been resolved.

Additionally, review your Django settings and consider disabling SESSION_SAVE_EVERY_REQUEST if it is set to True, as this setting is related to the vulnerability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart