CVE Catalog

CVE-2026-6907

Low
Published: Translated: NVD NIST

Summary

An issue was discovered in versions 6.0 before 6.0.5 and 5.2 before 5.2.14 in `django.middleware.cache.UpdateCacheMiddleware`, which erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served.

Risk Assessment

Organizations may expose themselves to the risk of leaking private data, which can lead to user privacy violations and potential legal consequences.

Recommendation

It is recommended to upgrade to Django versions 6.0.5 or 5.2.14 to mitigate this vulnerability and to review and secure cached data.

Original NVD description (English source)

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0

Vulnerability data from NVD (NIST) · CISA KEV · EPSS