Cache Vulnerability Affecting Django Web Framework
CVE-2026-48588
2.3LOW
What is CVE-2026-48588?
A vulnerability has been identified in the Django web framework that affects certain versions including 6.0 prior to 6.0.7 and 5.2 prior to 5.2.16. The issue arises from the UpdateCacheMiddleware and the cache_page() decorator, which improperly cache responses that are influenced by cookies. This flaw can potentially allow remote attackers to retrieve sensitive data from a shared cache when unrelated cookies are present in the incoming requests. Furthermore, earlier unsupported versions of Django, such as 5.0.x, 4.1.x, and 3.2.x, may also be at risk, although they have not been formally assessed for this vulnerability.
Affected Version(s)
Django 6.0 < 6.0.7
Django 5.2 < 5.2.16
Django 6.0.7
References
CVSS V4
Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Chris Whyland
Natalia Bidart
Jacob Walls
