CVE-2026-8404 in Django
Summary
by MITRE • 06/03/2026
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
This vulnerability resides in the caching middleware of Django web applications, specifically within the `UpdateCacheMiddleware` component that handles HTTP response caching. The issue manifests as a case-sensitivity flaw in how Django processes `Cache-Control` response headers, which are critical for controlling how web content is cached by browsers and intermediate proxies. When cache control directives are specified in uppercase or mixed-case formats rather than the standard lowercase format, Django's middleware fails to properly recognize these directives, leading to incorrect caching behavior that can expose sensitive information to unauthorized parties.
The technical flaw stems from Django's implementation of the HTTP caching protocol where the middleware does not perform case-insensitive matching against `Cache-Control` header values. This deviation from standard HTTP behavior creates a security boundary violation where responses that should not be cached due to directives like `no-cache`, `no-store`, or `private` may be incorrectly cached when these directives appear in uppercase or mixed-case formats. The vulnerability affects Django versions 5.2 before 5.2.15 and 6.0 before 6.0.6, with the potential for older unsupported versions to be similarly affected, making this a widespread issue across multiple release lines.
The operational impact of this vulnerability is significant as it allows remote attackers to bypass intended cache control policies and potentially access cached responses that contain sensitive data. This could result in information disclosure where authenticated content, user-specific data, or administrative information becomes accessible to unauthorized users through improperly cached responses. The vulnerability particularly affects applications that rely heavily on Django's caching mechanisms and may be exploited in scenarios where attackers can control or predict response headers, or where applications use mixed-case cache directives for various reasons.
Organizations using affected Django versions should immediately upgrade to the patched releases to resolve this vulnerability. The fix implemented in Django 5.2.15 and 6.0.6 ensures proper case-insensitive matching of `Cache-Control` directives, aligning the middleware behavior with HTTP standards and preventing the exposure of sensitive content through incorrect caching. Security teams should also conduct thorough audits of their applications to identify any instances where mixed-case cache directives might be in use and ensure proper configuration of cache control headers. This vulnerability maps to CWE-295 for improper certificate validation and relates to ATT&CK technique T1566 for credential access through cache poisoning, highlighting the importance of proper HTTP header handling in maintaining application security boundaries.