CVE-2026-8404
Cache-Control Bypass in Django via Case-Insensitive Matching
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: Django Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| django | django | to 5.2.15 (exc) |
| django | django | to 6.0.6 (exc) |
| django | django | 5.0 |
| django | django | 4.1 |
| django | django | 3.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Django versions 5.2 before 5.2.15 and 6.0 before 6.0.6. It involves the django.middleware.cache.UpdateCacheMiddleware component, which does not handle Cache-Control response directives in a case-insensitive manner.
Because of this, if a response's Cache-Control header uses uppercase or mixed-case values, the middleware may incorrectly cache the response. This allows remote attackers to read responses that should not have been cached.
Earlier unsupported Django versions such as 5.0.x, 4.1.x, and 3.2.x may also be affected.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of cached responses because the caching middleware may store and serve sensitive data that should not be cached.
Remote attackers could exploit this flaw to read sensitive information that was incorrectly cached due to case-sensitive handling of Cache-Control headers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Django's UpdateCacheMiddleware allows remote attackers to read responses that were incorrectly cached due to case-sensitive matching of Cache-Control directives. This could potentially lead to unauthorized disclosure of sensitive information if responses containing personal or protected data are cached and accessible.
Such unauthorized data exposure could impact compliance with data protection regulations like GDPR or HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized access or disclosure.
However, the CVE description and provided resources do not explicitly discuss compliance implications or provide guidance on how this vulnerability affects adherence to these standards.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Django to a fixed version where the issue is resolved.
- Upgrade Django 5.2 to version 5.2.15 or later.
- Upgrade Django 6.0 to version 6.0.6 or later.
- Consider upgrading earlier unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) as they may also be affected.