CVE-2026-35193
3.1 LOWAn issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6
Published: 2026-06-03 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 3.1 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
- CWE
- CWE-524
Affected products
| Vendor | Product |
|---|---|
| djangoproject | django |
Description
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Shai Berger for reporting this issue.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-8404 — An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)
- CVE-2026-7666 — An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)
- CVE-2026-6873 — An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)
- CVE-2026-48587 — An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)
Same CWE
- CVE-2026-41841 — Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources (5.9 MEDIUM)
- CVE-2026-48901 — The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key (7.5 HIGH)
- CVE-2026-32244 — Discourse is an open-source discussion platform (5.3 MEDIUM)