CVE-2026-35193 in Django
Summary
by MITRE • 06/03/2026
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Shai Berger for reporting this issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/03/2026
This vulnerability in Django represents a critical cache poisoning and information disclosure flaw that undermines the security of web applications relying on the framework's caching mechanisms. The issue specifically affects the UpdateCacheMiddleware component which is responsible for managing HTTP cache behavior in Django applications. When requests contain an Authorization header but lack Cache-Control: public directive, the middleware fails to properly include the Authorization header in the Vary response header. This omission creates a fundamental security gap where authenticated content becomes accessible to unauthenticated users through cache manipulation techniques.
The technical flaw stems from improper cache key generation and response header handling within Django's caching subsystem. According to CWE-200, this vulnerability exposes sensitive information through inadequate access control mechanisms. The Vary header serves as a crucial HTTP mechanism that instructs caches on how to handle different variations of cached responses based on specific request headers. When Authorization is not included in the Vary header, the cache treats responses with different authorization states as identical, allowing unauthorized access to cached content. This behavior directly violates the principle of least privilege and enables attackers to exploit the caching layer to gain access to private data that should only be available to authenticated users.
The operational impact of this vulnerability is severe and affects a wide range of Django applications that implement caching mechanisms. Attackers can exploit this flaw by making unauthenticated requests to URLs that have previously been accessed by authenticated users, potentially gaining access to sensitive data, user sessions, or private application resources. The vulnerability affects multiple Django versions including 5.2.x before 5.2.15 and 6.0.x before 6.0.6, with the potential for older unsupported versions also being affected. This widespread impact means that numerous applications across different environments and deployment scenarios could be compromised, particularly those that rely heavily on Django's built-in caching features for performance optimization.
From an ATT&CK perspective, this vulnerability maps to T1566.002 (Phishing: Spearphishing Attachments) and T1595.001 (Active Scanning: Network Scanning) as attackers can leverage the cache poisoning technique to harvest sensitive information. The vulnerability also aligns with T1213.002 (Data from Information Repositories: Databases) and T1071.004 (Application Layer Protocol: DNS) when attackers use the compromised cache to access unauthorized data. Organizations using Django applications must consider this vulnerability as a potential vector for data exfiltration and privilege escalation attacks, particularly in environments where sensitive user data is cached without proper authorization controls.
The recommended mitigations include immediate upgrade to Django versions 5.2.15 or 6.0.6 where the issue has been patched. Administrators should also implement additional security controls such as ensuring that all cacheable responses include proper Cache-Control headers with appropriate public or private directives. The Django security team's acknowledgment of the report from Shai Berger highlights the importance of community-driven security research in identifying and resolving such vulnerabilities. Organizations should conduct comprehensive security assessments of their Django applications to identify any cached content that may be vulnerable to this type of attack, particularly focusing on endpoints that handle authentication and authorization data. Additionally, implementing proper monitoring and logging of cache behavior can help detect potential exploitation attempts and provide early warning of unauthorized access patterns.