Django Middleware Vulnerability in Django Products
CVE-2026-6907

2.3LOW

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
5 May 2026

What is CVE-2026-6907?

A vulnerability has been identified in specific versions of Django, where the UpdateCacheMiddleware inadvertently caches requests if the Vary header contains an asterisk ('*'). This flaw can result in sensitive user data being improperly stored and potentially served to unauthorized users. Users of unsupported Django iterations may also be affected by this security issue. The Django team appreciates the efforts of Ahmad Sadeddin for bringing this matter to their attention.

Affected Version(s)

Django 6.0 < 6.0.5

Django 5.2 < 5.2.14

Django 6.0.5

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/may/05/security...
vendor-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ahmad Sadeddin
Sarah Boyce
Sarah Boyce
.