CVE-2026-35192
Analyzed Analyzed - Analysis Complete
Session Fixation in Django Web Framework

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: Django Software Foundation

Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35192
EUVD
EUVD-2026-27347
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
djangoproject django From 5.2 (inc) to 5.2.14 (exc)
djangoproject django From 6.0 (inc) to 6.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-539 The web application uses persistent cookies, but the cookies contain sensitive information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35192 is a session fixation vulnerability in Django versions before 6.0.5 and 5.2.14. The issue occurs because response headers do not vary on cookies if a session is not modified, but the setting SESSION_SAVE_EVERY_REQUEST is set to True. This allows a remote attacker to steal a user's session after the user visits a cached public page.

Earlier unsupported Django versions such as 5.0.x, 4.1.x, and 3.2.x may also be affected.

Impact Analysis

This vulnerability can allow a remote attacker to steal a user's session. If an attacker obtains a valid session, they can impersonate the user and potentially gain unauthorized access to the user's account or data.

The impact is considered low severity according to Django's security policy, but it still poses a risk of session hijacking when SESSION_SAVE_EVERY_REQUEST is enabled and cached public pages are visited.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Django to a fixed version later than 6.0.5 or 5.2.14 where the issue has been resolved.

Additionally, review your Django settings and consider disabling SESSION_SAVE_EVERY_REQUEST if it is set to True, as this setting is related to the vulnerability.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart