Use of Web Browser Cache Containing Sensitive Information in Django - CVE-2026-6907
Published: May 5, 2026
Vulnerability identifier: #VU130192
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-6907
CWE-ID: CWE-525
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Django
Django
Software vendor:
Django Software Foundation
Django Software Foundation
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper cache handling in django.middleware.cache.UpdateCacheMiddleware when processing responses whose Vary header contains an asterisk ('*'). A remote attacker can trigger caching of private data to disclose sensitive information.
Private data may be stored in the cache and later served to other users.
Remediation
Install security update from vendor's website.