Session Fixation Vulnerability in Django Web Framework
CVE-2026-35192

2.3LOW

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
5 May 2026

What is CVE-2026-35192?

A session fixation vulnerability has been identified in Django versions earlier than 6.0.5 and 5.2.14, where response headers do not vary based on cookies if a session remains unmodified but the SESSION_SAVE_EVERY_REQUEST is set to True. This flaw allows remote attackers to potentially steal users' session information when they access cached public pages. Additionally, earlier unsupported versions of Django, such as 5.0.x, 4.1.x, and 3.2.x, might also be vulnerable to this issue. Django acknowledges Cantina for highlighting this concern.

Affected Version(s)

Django 6.0 < 6.0.5

Django 5.2 < 5.2.14

Django 6.0.5

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/may/05/security...
vendor-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Cantina
Jake Howard
Sarah Boyce
.