LOW 3.1

CVE-2026-35193: Django Cache Middleware Leaks Private User Data via Unauthenticated Requests

Django's cache middleware has a flaw that can leak private user data. When Django caches web responses, it's supposed to mark cached data as private (via the `Vary` header) if a request included authentication credentials. In Django 5.2 before version 5.2.15 and 6.0 before version 6.0.6, this protection doesn't work correctly. An attacker can make an unauthenticated request to the same URL a logged-in user visited, and Django may serve the cached private response—revealing sensitive information that should have been protected. Older Django versions (5.0.x, 4.1.x, 3.2.x) haven't been formally evaluated but may have the same problem.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-524
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Shai Berger for reporting this issue.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in `django.middleware.cache.UpdateCacheMiddleware`. The middleware fails to include `Authorization` in the `Vary` response header when a request carries an `Authorization` header and lacks `Cache-Control: public`. The `Vary` header tells cache systems (browser cache, CDN, intermediaries) that responses for this URL differ based on the listed criteria. Without `Authorization` in `Vary`, a cache cannot distinguish between responses meant for authenticated users versus unauthenticated users. Consequently, an unauthenticated request can retrieve a cached response originally generated for an authenticated user, violating the intended caching semantics. This is classified as improper cache neutralization of sensitive information (CWE-524).

Business impact

If a Django application caches sensitive user data—account details, medical records, financial information, or any personalized content—an attacker can access it without authentication by requesting the same URL after an authenticated user has visited it. This directly violates confidentiality and may trigger regulatory compliance violations (GDPR, HIPAA, PCI-DSS) if user data is exposed. The impact is magnified in shared hosting, CDN, or proxy scenarios where cache is shared across multiple users or organizations.

Affected systems

Django 5.2 versions before 5.2.15 and Django 6.0 versions before 6.0.6 are confirmed vulnerable. Django 5.0.x, 4.1.x, and 3.2.x are noted as unsupported series that have not been formally evaluated but may be affected; organizations running these older versions should test and patch proactively. The vulnerability only manifests when `UpdateCacheMiddleware` is enabled in the application's middleware stack.

Exploitability

Exploitation requires that (1) the target Django application uses `UpdateCacheMiddleware`, (2) the application caches responses to authenticated requests, and (3) an attacker can identify a URL that serves sensitive content. No authentication or special privileges are required; the attacker simply makes an unauthenticated GET request to a cached URL. The CVSS score of 3.1 (LOW) reflects the requirement that user interaction or specific application configurations must be present, but the underlying logic flaw is straightforward to exploit once conditions align. This is not a widely exploitable vulnerability in its current form but poses real risk to applications using aggressive caching strategies.

Remediation

Upgrade to Django 5.2.15 or later for the 5.2 series, or Django 6.0.6 or later for the 6.0 series. If you cannot upgrade immediately, audit your cache configuration: disable `UpdateCacheMiddleware` if possible, or ensure that authenticated responses are explicitly marked `Cache-Control: private` or equivalent. Review middleware ordering and cache headers to confirm sensitive data is not being cached for unauthenticated access. For unsupported Django versions (5.0.x, 4.1.x, 3.2.x), assess risk tolerance and plan a migration to a supported version.

Patch guidance

1. Check your Django version with `python -m django --version`. 2. For Django 5.2.x: upgrade to 5.2.15 or later. 3. For Django 6.0.x: upgrade to 6.0.6 or later. 4. Verify the patch by testing your application's cache behavior: confirm that authenticated requests do not leak cached data to unauthenticated clients. 5. Review your cache middleware configuration in `settings.py` and ensure `Cache-Control` headers are properly set on sensitive views. 6. If running an older unsupported version, verify the advisory and test patched versions in a staging environment before production deployment.

Detection guidance

Monitor for signs of cache-based data leakage: (1) Review access logs for unauthenticated requests followed by successful data retrieval (status 200) to endpoints that should require authentication. (2) Check cached responses in your CDN or cache store for presence of `Authorization` in the `Vary` header. (3) Audit middleware configuration to confirm `UpdateCacheMiddleware` is in use and its interaction with authentication middleware. (4) Enable Django security logging and watch for unexpected cache hits on authenticated endpoints. (5) Conduct manual testing: authenticate, visit a sensitive URL, then clear cookies and request the same URL; if private data is returned, the vulnerability exists. Tools like curl with `-H` flag can verify response headers and cache directives.

Why prioritize this

While the CVSS score is LOW (3.1), this vulnerability should not be dismissed. It directly undermines confidentiality for any cached user data. Organizations with strict data protection requirements, PCI-DSS, HIPAA, or GDPR compliance obligations, or those serving sensitive financial or healthcare data should prioritize this patch immediately. Even for lower-risk environments, the fix is straightforward and should be included in the next patching cycle. The vulnerability is passive and does not enable active exploitation in the wild, but it represents a silent data leak risk that could persist undetected.

Risk score, explained

The CVSS 3.1 score of 3.1 (LOW severity) is driven by: Attack Vector (Network) = higher impact potential; Attack Complexity (High) = requires specific middleware configuration and caching strategy; Privileges Required (None) = no auth needed; User Interaction (Required) = attacker must time or know about cached content; Scope (Unchanged) = no privilege escalation; Confidentiality (Low impact in CVSS weighting). The 'LOW' rating underrepresents real-world risk for applications that cache sensitive user data, making prioritization a business decision rather than a strictly numerical one.

Frequently asked questions

Does this vulnerability affect all Django applications?

No. The vulnerability only manifests if (1) your Django application has `UpdateCacheMiddleware` enabled in the middleware stack, and (2) your application caches responses to authenticated requests. If you do not use Django's caching middleware or if your sensitive endpoints explicitly return `Cache-Control: private`, you are not affected. Check your `settings.py` for `UpdateCacheMiddleware` in `MIDDLEWARE`.

What is the practical impact if we are vulnerable?

An attacker could access cached private user data by making unauthenticated requests to URLs that serve sensitive content. For example, if a user's profile page is cached after login, an attacker could retrieve that cached profile without logging in. The risk is highest in multi-tenant environments or shared CDNs where cache is centralized.

Can we mitigate this without upgrading?

Partial mitigation is possible: disable `UpdateCacheMiddleware` if caching middleware is not critical, or ensure all authenticated views explicitly set `Cache-Control: private` headers. However, this is not a complete fix and leaves the application vulnerable. Upgrading is the recommended solution.

Are older Django versions (4.x, 3.2.x) affected?

The advisory states they were not formally evaluated but may be affected. If you run Django 5.0.x, 4.1.x, or 3.2.x, treat this as a potential risk and test in a staging environment. Consider upgrading to a supported version as part of your incident response.

This analysis is provided for informational purposes based on publicly disclosed vulnerability data. CVSS scores, patch versions, and affected product information are sourced from official Django security advisories and the National Vulnerability Database. Organizations should verify patch availability and compatibility with their specific Django installations before deploying updates. No liability is assumed for business decisions made based on this analysis. Always test patches in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).