CVE-2026-8404

3.1 LOW

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6

Published: 2026-06-03 · Last updated: 2026-06-05

Severity and scoring

CVSS: 3.1 LOW
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CWE: CWE-178

Affected products

Vendor	Product
djangoproject	django

Description

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.

Source: NVD

References

Related CVEs

Same vendor

CVE-2026-7666 — An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)
CVE-2026-6873 — An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)
CVE-2026-48587 — An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)
CVE-2026-35193 — An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)

Same CWE

CVE-2026-45062 — FrankenPHP is a modern application server for PHP (8.1 HIGH)
CVE-2026-47346 — Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypa...
CVE-2026-46392 — HAX CMS helps manage microsite universe with PHP or NodeJs backends (8.7 HIGH)
CVE-2026-48595 — Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-orig...
CVE-2026-44367 — Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal (2.7 LOW)