CVE-2026-48588
Received Received - Intake

Cache Poisoning in Django Web Framework

Vulnerability report for CVE-2026-48588, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Django Software Foundation

Description

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Chris Whyland for reporting this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
django django to 5.2.16 (exc)
django django to 6.0.7 (exc)
django django 5.0
django django 4.1
django django 3.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Django's caching mechanism allows remote attackers to read private data from the shared cache when requests carry unrelated cookies. This exposure of private data could potentially lead to unauthorized access to sensitive information.

Such unauthorized data disclosure may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized access or leaks.

However, the provided information does not explicitly discuss the direct implications of this vulnerability on compliance with these standards.

Executive Summary

This vulnerability exists in Django versions 6.0 before 6.0.7 and 5.2 before 5.2.16. It involves the caching mechanisms, specifically the UpdateCacheMiddleware and the cache_page() decorator, which cache responses that vary based on cookies. When an incoming request carries unrelated cookies, these caching mechanisms may serve cached responses containing private data intended for other users. This allows remote attackers to read private data from the shared cache.

Earlier unsupported Django versions such as 5.0.x, 4.1.x, and 3.2.x may also be affected, though they were not evaluated.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private data. Because the caching system may serve cached responses containing sensitive information to users with unrelated cookies, remote attackers can potentially access private data that should not be visible to them.

Mitigation Strategies

To mitigate this vulnerability, you should update Django to a fixed version where the issue is resolved.

  • Upgrade Django 6.0 to version 6.0.7 or later.
  • Upgrade Django 5.2 to version 5.2.16 or later.

Earlier unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x may also be affected, so consider upgrading to a supported and patched version.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart