Cache Response Vulnerability in Django Middleware
CVE-2026-35193

2.3LOW

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 June 2026

What is CVE-2026-35193?

A weakness in the Django cache middleware allows attackers to potentially access private cached data through unauthenticated requests. Specifically, the UpdateCacheMiddleware fails to include the Authorization header in the Vary response header for requests that do not specify Cache-Control: public. This oversight enables attackers to retrieve sensitive information from the cache by accessing the same URL as a legitimate user. Versions 5.2 before 5.2.15 and 6.0 before 6.0.6 are reported to be affected, along with earlier unsupported versions that may also suffer from this issue. The Django community has acknowledged this vulnerability and appreciates the researcher who brought it to their attention.

Affected Version(s)

Django 6.0 < 6.0.6

Django 5.2 < 5.2.15

Django 6.0.6

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/security...
vendor-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Shai Berger
Jacob Walls
Natalia Bidart
.