CVE-2026-6907
Analyzed
Analyzed - Analysis Complete
Cache Poisoning in Django via Vary Header Asterisk
Vulnerability report for CVE-2026-6907, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-05
Last updated on: 2026-05-07
Assigner: Django Software Foundation
Description
Description
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.
`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Ahmad Sadeddin for reporting this issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| djangoproject | django | From 5.2 (inc) to 5.2.14 (exc) |
| djangoproject | django | From 6.0 (inc) to 6.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-524 | The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. |