CVE-2026-35193

PYSEC-2026-197 · BIT-django-2026-35193 · CVE-2026-35193

Published Jun 3, 2026 · Modified Jun 6, 2026

Description

An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Shai Berger for reporting this issue.

References

ADVISORY https://groups.google.com/g/django-announce
FIX https://docs.djangoproject.com/en/dev/releases/security/
FIX https://www.djangoproject.com/weblog/2026/jun/03/security-releases/

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes