Cache Vulnerability Affecting Django Web Framework
CVE-2026-48588

2.3LOW

Key Information:

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-48588?

A vulnerability has been identified in the Django web framework that affects certain versions including 6.0 prior to 6.0.7 and 5.2 prior to 5.2.16. The issue arises from the UpdateCacheMiddleware and the cache_page() decorator, which improperly cache responses that are influenced by cookies. This flaw can potentially allow remote attackers to retrieve sensitive data from a shared cache when unrelated cookies are present in the incoming requests. Furthermore, earlier unsupported versions of Django, such as 5.0.x, 4.1.x, and 3.2.x, may also be at risk, although they have not been formally assessed for this vulnerability.

Affected Version(s)

Django 6.0 < 6.0.7

Django 5.2 < 5.2.16

Django 6.0.7

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chris Whyland
Natalia Bidart
Jacob Walls
.