CVE-2026-6907
Analyzed Analyzed - Analysis Complete
Cache Poisoning in Django via Vary Header Asterisk

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: Django Software Foundation

Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6907
EUVD
EUVD-2026-27382
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
djangoproject django From 5.2 (inc) to 5.2.14 (exc)
djangoproject django From 6.0 (inc) to 6.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Django versions before 6.0.5 and 5.2 before 5.2.14, where the UpdateCacheMiddleware component incorrectly caches requests that have a Vary header containing an asterisk ('*').

Because of this erroneous caching behavior, private data that should not be cached or shared can be stored and served to unintended users.

Earlier unsupported Django versions such as 5.0.x, 4.1.x, and 3.2.x may also be affected by this issue.

Impact Analysis

The impact of this vulnerability is that private or sensitive data may be cached and subsequently served to unauthorized users.

This can lead to unintended data exposure, compromising user privacy and potentially leaking confidential information.

Compliance Impact

This vulnerability in Django's UpdateCacheMiddleware can lead to private data being stored and served incorrectly due to erroneous caching when the Vary header contains an asterisk. Such unintended exposure or mishandling of private data could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and proper handling of personal and sensitive information.

However, the provided information does not explicitly describe the direct effects on compliance with these standards or any mitigation steps related to regulatory requirements.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Django to a fixed version. Specifically, update to Django 6.0.5 or later if you are using the 6.0 series, or to 5.2.14 or later if you are using the 5.2 series.

Earlier unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x may also be affected, so consider upgrading to a supported and patched version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6907. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart