Cache Handling Flaw in Django by Django Software Foundation
CVE-2026-8404

2.3LOW

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 June 2026

What is CVE-2026-8404?

A critical issue has been found in the Django framework affecting versions 5.2 prior to 5.2.15 and 6.0 prior to 6.0.6. The django.middleware.cache.UpdateCacheMiddleware is unable to match the Cache-Control response directives case-insensitively. This can allow attackers to exploit wrongly cached responses when uppercase or mixed-case values are used in the directives. Moreover, earlier versions of Django that are no longer supported (such as 5.0.x, 4.1.x, and 3.2.x) have not been formally evaluated but may also be affected.

Affected Version(s)

Django 6.0 < 6.0.6

Django 5.2 < 5.2.15

Django 6.0.6

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/jun/03/security...
vendor-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ahmed Badawe
Jake Howard
Natalia Bidart
.