An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16.
`UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Chris Whyland for reporting this issue.
Metrics
Affected Vendors & Products
References
History
Tue, 07 Jul 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Djangoproject
Djangoproject django |
|
| Vendors & Products |
Djangoproject
Djangoproject django |
Tue, 07 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 07 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `UpdateCacheMiddleware` and the `cache_page()` decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Chris Whyland for reporting this issue. | |
| Title | Potential exposure of private data via cached Set-Cookie response | |
| Weaknesses | CWE-524 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: DSF
Published:
Updated: 2026-07-07T14:59:53.337Z
Reserved: 2026-05-21T20:50:32.466Z
Link: CVE-2026-48588
Updated: 2026-07-07T14:59:49.237Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T16:30:16Z