Use of Web Browser Cache Containing Sensitive Information in Django - CVE-2026-48588
Published: July 7, 2026
Django
Detailed vulnerability description
The vulnerability allows a remote attacker to expose private data via cached responses.
The vulnerability exists due to improper cache handling in django.middleware.cache.UpdateCacheMiddleware and django.views.decorators.cache.cache_page when processing requests that already contain unrelated cookies. A remote attacker can send a request with an unrelated cookie to expose private data via cached responses.
The issue occurs when a response sets a cookie while varying on Cookie.