SB20260505111 - Multiple vulnerabilities in Django

Description

This security bulletin contains information about 3 vulnerabilities.

1) Input validation error (CVE-ID: CVE-2026-5766)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ASGI request handling when processing file uploads with a missing or understated Content-Length header. A remote attacker can send a specially crafted request to cause a denial of service.

Large uploaded files may be loaded into memory, causing service degradation.

2) Session Fixation (CVE-ID: CVE-2026-35192)

The vulnerability allows a remote attacker to steal a user's session.

The vulnerability exists due to improper session handling in cached public pages when a session is not modified and SESSION_SAVE_EVERY_REQUEST is True. A remote attacker can leverage a cached public page visit by the victim to steal a user's session.

User interaction is required because the victim must visit a cached public page.

3) Use of Web Browser Cache Containing Sensitive Information (CVE-ID: CVE-2026-6907)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper cache handling in django.middleware.cache.UpdateCacheMiddleware when processing responses whose Vary header contains an asterisk ('*'). A remote attacker can trigger caching of private data to disclose sensitive information.

Private data may be stored in the cache and later served to other users.

Remediation

Install update from vendor's website.

References

• https://www.djangoproject.com/weblog/2026/may/05/security-releases/
• https://github.com/django/django/commit/5a89e341bfc77dd67b7fd57b7091b6430558e1f4
• https://github.com/django/django/commit/7f6e9b55130d5158804c0acbc0b24ccb7422ed82
• https://github.com/django/django/commit/c79bdfc1351ef2a2ad95df36241a74c736ef20a1