Whitespace Vulnerability in Django Web Framework
CVE-2026-48587

2.3LOW

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 June 2026

What is CVE-2026-48587?

The Django web framework has a vulnerability in the django.utils.cache.has_vary_header() function that can lead to potential cache poisoning. This issue arises because leading or trailing whitespace in Vary response header values is not stripped before comparison. Consequently, remote attackers may exploit this by crafting requests to URLs that yield responses with whitespace-padded Vary headers, allowing them to access cached responses that should otherwise be protected. Earlier unsupported Django series, including 5.0.x, 4.1.x, and 3.2.x, have not been evaluated but could also be impacted by this vulnerability.

Affected Version(s)

Django 6.0 < 6.0.6

Django 5.2 < 5.2.15

Django 6.0.6

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/security...
vendor-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Navid Rezazadeh
Jake Howard
Natalia Bidart
.